MOBILE PAYMENT SECURITY: BLE OR NFC



Similar documents
Mobile Payment Transactions: BLE and/or NFC? White paper by Swen van Klaarbergen, consultant for UL Transaction Security s Mobile Competence Center

CONTACTLESS INTEROPERABILITY IN TRANSIT

PREVENTING PAYMENT CARD DATA BREACHES

Cutting Through the Mobile Payments Confusion

NEXT GENERATION TRANSIT TICKETING

Introduction Features Benefits Enhance Your Business. The Payeezy SM ecommerce Solution It pays to dream big.

Inside the Mobile Wallet: What It Means for Merchants and Card Issuers

KEEPING PACE WITH MOBILE PAYMENT

The Payeezy SM ecommerce Solution It pays to dream big.

Android pay. Frequently asked questions

OVERVIEW OF MOBILE PAYMENT LANDSCAPE

OVERVIEW OF MOBILE PAYMENT LANDSCAPE Marianne Crowe Federal Reserve Bank of Boston NEACH September 10, 2014

Ingenious Systems. Evolute System's. Mobile Payment. Initiative

The digital future for retail, hospitality and travel.

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Iknaia Asset and Personnel Tracking Management System for the Healthcare Industry

Preparing for The Fourth Pillar of Mobile Payments: Payments to Merchants and Retailers

Resource Library. Consumer Location-Based Analytics Deliver Actionable Insights. From Platt Retail Institute s. Bringing Research to Retail SM

WIRECARD FUTURE OF PAYMENTS. MainFirst Insights to Go Web Conference January 22, 2015

Changing E-Commerce Trends

HOW TO OPTIMIZE THE CONSUMER CONTACTLESS EXPERIENCE? THE PERFECT TAP

THE FUTURE OF SHOPPING INDOOR ANALYTICS AND MOBILE PAYMENT

RETAILING STORE TRACKING CUSTOMER-FIRST. Customers have three currencies which they can spend: Money, Time and Emotion

Mobile Near-Field Communications (NFC) Payments

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

Enriching In-Store Experience with Analytics

White Paper. Retail Made Personal. Make the shopping experience personal, relevant, and profitable

The changing face of the mobile phone and its implication for marketing

(

Leveraging the Internet of Things in Marketing

Invigorate Your Mobile Commerce Strategy with Low-Cost Payment Steering

Digital Commerce in Retail: Supporting a Common Mobile Customer Journey RETAILER SURVEY - CONDUCTED NOVEMBER 2014

REAL TIME MONITORING AND TRACKING SYSTEM FOR AN ITEM USING THE RFID TECHNOLOGY

Iknaia Asset and Personnel Tracking Management System for the Construction Industry

Motorola Enterprise Mobility Retail Solutions: Driving customer loyalty and sales to new heights with mobility

We make cards and payments work for people as a part of everyday life. We bring information to life

Omnichannel Payments

Special Report: Trends in Mobile Payment April 2015

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

mobile commerce challenge or opportunity?

Real Time In-store Analytics with RetailNext

HOW TO TURN 9 RETAIL IT CHALLENGES INTO 9 BUSINESS OPPORTUNITIES

Captivate Your Mobile Customers

U.S. Mobile Payments Landscape NCSL Legislative Summit 2013

Click Labs Report: How Retail Leverages Mobile

C23: NFC Mobile Payment Ecosystem & Business Model. Jane Cloninger Director

Page 1. Transform the Retail Store with the Internet of Things

NFC: Enabler for Innovative Mobility and Payment NFC: MOBILIDADE E MEIOS DE PAGAMENTO

White Paper on Mobile Digital Wallets For Restaurants and Retailers

THE OMNICHANNEL CONSUMER

EMV and Small Merchants:

How To Be Successful In A Cross Channel Retailing

Smart Mobility Platform for Retailers

Data Security Concerns for the Electric Grid

Mobile Financial Services

Mobile Payments: Merchants Perspectives

Social Media Payment Applications. June 6, 2011

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Drive Business Further Faster With RetailNext

Contactless Payments. Björn Salomon-Sörensen, Account Director - Swedbank November 11, 2015

How To Go Omni Channel Using Beacons

Quantifying ROI: Building the Business Case for IT and Software Asset Management

UPnP: The Discovery & Service Layer For The Internet of Things April 2015

Mobile Payments. Kedar Limaye Director & Consulting Partner,Wipro Mobility Solutions

How To Create A Retail Analytics Platform With Tapway

Financial industry Solutions. Redefining Micro Location for the Financial industry in a Mobile World

Contextualized E-Commerce: The key to an optimized e-commerce channel.

Are you looking for a single solution to deliver targeted marketing campaigns across multiple channels?

The Future of Mobile Payment. Christopher Boone President & CEO, Cimbal Inc. E: chris@cimbal.com T: (650)

IOT WPAN technologies IoT binnen handbereik. EA IoT 2015 Pepijn Herman

Store Logistics and Payment with Near Field Communication

Mobile Marketing for the Restaurant & Retail Industries

Catch all the digital moments

The Future Of Cloud based Ticketing. Ernst Bovelander Director Advisory Services

Payment Methods: What International Consumers Want, Need and Expect

The Motorola MC40. The new face of retail mobility

Ingenico Wireless Solutions

Wireless Ethernet LAN (WLAN) General a/802.11b/802.11g FAQ

Think of a retail store brand - like a fashion-clothing brand for example. Walkbase helps brands to get better at providing all those things to you.

Lead the Retail Revolution.

Safe & Quick Mobile Payment. SQ is an authentication and payment system for mobile, cashless and contactless payment via Smartphone.

Transcription:

NEW SCIENCE TRANSACTION SECURITY ARTICLE MOBILE PAYMENT SECURITY: BLE OR NFC SUMMER 2014 UL.COM/NEWSCIENCE

NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction security technologies to comprehensive strategies for reliable mobile payment solutions, UL s New Science advances are helping to support compliance, interoperability and security for the latest transaction technology implementations. UL is working with customers across the industry, conducting stateof-the-art pilots; analyzing and assessing the security, functionality and interoperability of new and existing technologies; enhancing implementation processes; and developing unique migration architectures to help transition disparate systems to a new platform. NEW SCIENCE TRANSACTION SECURITY 2

WHY BLE OR NFC MATTERS Mobile technology, particularly mobile payments, is a reality today that is rapidly growing and reshaping both the payment and retail landscapes. With the continued expansion of global smartphone usage, the impact of mobility is moving beyond e-commerce and changing the shopping experience in bricks-and-mortar retail environments. Near Field Communication (NFC) and, more recently, Bluetooth Low Energy (BLE), are two technologies at the forefront of these changes. There are potential risks and challenges related to each, however, and how they are implemented whether together or one instead of the other can affect the security of the system for consumers, retailers and service providers. CONTEXT By the end of 2013, smartphone penetration had passed 20 percent of the world s population, with just over 1.4 billion smartphones in use. 1 The market is projected to expand 75 percent, reaching 2.5 billion users in 2017. 2 These devices have already changed the retail experience for millions: research shows that 71 percent of today s smartphone-enabled shoppers expect to view in-store inventory online, 50 percent expect to be able to buy products online and pick them up in-store, 56 percent have researched products at home and 34 percent have used their phones to research products while in-store. 3 Smartphones are also playing a significant role in mobile payments, which totaled $172 billion globally in 2012. 4 Mobile payments are projected to increase to $1.3 trillion in 2017, 91 percent of which is projected to be transacted instore and 9 percent with online retailers. 5 NFC is well established and widely considered the principal mobile payment technology because it has been successfully piloted, trialed, tested and implemented in more than 70 countries. 6 NFC is well established and widely considered the principal mobile payment technology because it has been successfully piloted, trialed, tested and implemented in more than 70 countries 6, and because of the simplicity and speed NFC can bring to the shopping experience. 7 This technology allows a shopper to hold a handset within a few inches of a point-of-sale (POS) terminal and type in a PIN code to make a payment transaction. 8 Like NFC, the newer BLE is a data transfer technology that can be used to communicate between a smartphone and a payment terminal. 9 And while BLE was introduced in 2010 (with the high profile PayPal Beacon and Apple ibeacon introductions in 2013), it is based on the proven Bluetooth technology that has been in broad market use since 2000. 10 However, BLE works at distances 100 to 1,000 times further than NFC, which adds complexity to payment identification. 11 Yet, this may also enable BLE beacons to target shoppers with offers, information and payment options that could create a new location- and context-relevant shopping experience. 12 Although NFC has been around longer, a mass-adopted winner has yet to emerge among mobile payment technologies, and there is still debate as to which will become the new standard. 13 There is also a question about the optimal roles of BLE and NFC in a mobile in-store payment transaction context; specifically, is BLE viable as a substitute for NFC, should it have any role in mobile payment schemes or is it best suited as a complement to NFC? 14 3

WHAT DID UL DO? UL conducted a rigorous, in-depth assessment of the relative strengths and weaknesses of NFC and BLE, which enabled us to develop new insights about the optimal role of each technology at retail. We began with a comprehensive review of available information on both technologies, including published perspectives encompassing a range of for and against views for each technology. We wanted to understand the technologies and the retail market to determine which better addressed existing needs and issues. Our research also covered blogs and articles often representing the experiences of early adopters as well as news articles, scientific papers, NFC case studies and published statements of involved organizations about their implementation experiences. Based on this extensive assessment, we formed several hypotheses. 15 To test and refine our hypotheses, we needed to compare NFC to BLE on a systems level. To enable reliable comparisons between NFC (for which significant field performance data exists) and BLE (for which field data is lacking), UL designed conceptual BLE payment system models. These models build on the known differences between BLE and Classic Bluetooth technology, and were developed as follows: (1) Dividing the payment system into functional blocks based on published performance features. (2) Combining these blocks in a non-biased and exhaustive way using a morphological chart to cover every possible configuration. (3) Optimizing the BLE payment system alternatives through a process of falsification, which entailed proving a system wrong to identify and address the causes. (4) Reviewing each system based on the expert opinions of our peers in the field. (5) Making improvements to the system and then repeating the process from step three until each system met our quality standards. 16 We then used the optimized BLE conceptual models to explore the three most likely BLE payment scenarios based on our assessment of the retail marketplace, as well as what is being discussed publicly by retailers and payment service providers: Replacing NFC with BLE, which allows for payment at a cashier with agreement on the customer handset. Using the PayPal Beacon hands-free system, based on the proposed implementation 4

by PayPal, which entails paying at the cashier with verbal confirmation. Take and Shake, in which the shopper scans the items to be purchased and pays without a cashier. 17 UL compared learnings from the three BLE scenarios with the known performance parameters of NFC payment systems to develop the following insights. Enhancing the Shopping Experience BLE supports location-based services, identifying a customer s position in and near a store over time, which allows for targeted marketing and information. Some examples include convincing customers to enter the store when they pass by, providing customers with indoor directions and targeting a specific customer with a coupon (e.g. after spending some time at the coat section, they receive a coupon for 10 percent off coats within the next 15 minutes). An important reason why couponing might succeed with BLE while it failed with Classic Bluetooth is that with BLE, a customer can opt in, avoiding spamming. This was an issue with couponing via Classic Bluetooth. 18 With NFC, it is possible to have tags around a store to provide additional information to shoppers or to enable them to pick up coupons. This also allows for location-based marketing but requires more effort from the shopper. However, this additional effort could be minimized by employing additional technologies to reach and locate customers without requiring them to scan tags throughout the store (e.g., by using SMS or Wi-Fi). 19 BLE supports location-based services, identifying a customer s position in, and near, a store over time, which allows for targeted marketing and information. Another potential shift in the shopping experience is related to detailed payment statistics. With BLE, if payment details are not only sent to the POS terminal, but also to the cloud, it would be possible to link specific purchases to a customer account such as, for example, with a loyalty card. This would enable detailed payment statistics to be gathered, which would allow for targeted marketing and couponing based on a shopper s previous purchases. With NFC, this process would require an additional tap along with a supporting technology and/or a loyalty application that has access to the data. We then focused on comparing BLE to NFC, based on the in-store mobile payment where a customer in a physical store performs a wireless payment transaction with a handset. In addition, we wanted to concentrate on the transfer of data during the actual payment transaction. 20 5

Different Uses Are Supported When transferring data, BLE s longer range allows for increased convenience (more flexibility in how a retailer enables consumers to pay). NFC s shorter range makes spying on the transferred data more difficult, which enhances security when performing short-distance transactions. Because of its longer range and low-power beacons, BLE is ideally used for positioning information about a device in relation to its surroundings (e.g., for mapping). The principle underlying the use of both technologies is different: with NFC, customers are targeted based on their range while with BLE, customers are targeted based on their mapped position. 21 One of the main differences between an NFC and a BLE transaction is the distance over which a payment transaction can occur. With NFC, the customer has to hold the handset a few centimeters from the POS terminal to make a connection. An important difference from an infrastructure perspective is that an NFC-capable antenna is already an integrated and certified part of a growing number of POS terminals and even some ATMs. Because of this, no separate receiver (beacon) is required, as is the case with BLE. 22 Advantages of BLE Over NFC Relative to the payment transaction, BLE has one main advantage over NFC: payment freedom. Specifically, BLE makes it possible to connect to a POS terminal or the cloud from anywhere in a store, even when it is a crowded indoor location. This gives customers the freedom to pay anywhere they want and thus avoid waiting in line (i.e., the Take and Shake scenario), and would most likely be a card-not-present transaction. Furthermore, if the system included an automated BLE connection in combination with a pre-authorized payment transaction, this would allow for hands-free payment transactions (i.e., the PayPal Beacon scenario). On the other hand, an NFC payment transaction always needs a nearby POS terminal and does not allow for hands-free payment transactions. 23 Disadvantages of BLE Compared to NFC BLE has four disadvantages compared to NFC, relative to payment transactions: 1) NFC is more secure principally because its shorter operating distance makes spying more difficult. 2) NFC more easily enables card-present transactions against lower transaction fees compared to the card-not-present transactions supported by BLE. 3) NFC is compatible in a broader contactless environment. 4) NFC presumably requires less investment in POS technology. 24 6

1. Security With NFC, the short distance over which a transaction occurs provides additional visual security because the customer sees the POS terminal with which the handset communicates. This feature is lacking with BLE payment transactions over longer distances, which relates to all three BLE scenarios. Because of this, with BLE it will also be easier to spy on and interfere with the secure data being transmitted during a transaction. Another threat to POS terminals and handsets using BLE is a Denial-of-Service (DoS) attack, in which hackers prevent shoppers from using the service. Often, the DoS attack is part of a larger intrusion. An additional security problem with a hands-free payment transaction (related to the PayPal Beacon scenario) is that a proof of payment (a handshake ) is missing. A merchant cannot prove that all customers gave verbal permissions for transactions, except when the merchant records all transactions, which could create significant bottlenecks at checkout. 25 The disadvantage for BLE is that safer and cheaper card-present transactions are already a reality for NFC. 2. Card-Present or Card-Not-Present Transactions For a card-present transaction to happen, BLE requires a similar setup for hardware and software, related to the POS terminal and the handset. The main difficulty for BLE is that the hardware and software used should be compliant with and certified by the existing payment networks. Given the potential security issues outlined above, it may be difficult to obtain these certifications. And even if a BLE POS terminal/beacon and handset are certified, the process will still require a large amount of time, as it does for NFC. 26 It would require less time to enable a card-not-present transaction using BLE because the need to directly connect to the existing payment networks would be eliminated. The main issue with this option is cost: card-notpresent transactions are more expensive since they are less secure than card-present transactions. The disadvantage for BLE is that safer and cheaper card-present transactions are already a reality for NFC. 27 3. Interoperability With Contactless Payment Systems NFC is compatible with most existing contactless payment systems (and with transit systems as well) since they all operate at the same radio frequency. Because BLE operates at a different radio frequency, it lacks backwards compatibility with existing contactless payment cards. In addition, an NFC infrastructure is already in place, both in the payment and transit industries. Because NFC is a compatible technology, both industries are investing in NFC. NFC has an advantage over BLE because it has mature standards and certification requirements along with certified hardware and software available on the market. 28 7

4. Issues With Accurate Mapping With NFC, a shopper and merchant are linked to each other via a single tap. For BLE, another step is needed to select the right device and customer. In other words, with NFC, shoppers identify themselves and their location to a merchant and a transaction with a tap between their handset and a POS. With BLE, shoppers are identified by their position, either through BLE triangulation or through BLE distance; this position is then linked to the merchant. An additional selection step is needed in order to match the customer with the right transaction. 29 Because of this selection, location determination is needed for the Replacing NFC with BLE and the PayPal Beacon scenarios because, if the shopper s position is not known, and they simply check in and out, it would be impossible for a cashier to select their account quickly if there are tens or hundreds of people in the store. A solution would be to let the shopper self-identify by entering a code, but this would eliminate hands-free payment transactions. 30 If the shopper were identified manually for example, as a default option by the cashier there would be a risk of either unintentional or intentional human error. Automated recognition, in addition to location determination, could use facial recognition technologies to rule out human error, but it would be unable to rule out all potential errors. Both manual and automated identification require high-quality photographs of shoppers, and both forms would require additional investments in hardware and software. It should be noted that implementing any type of recognition that involves biometric information or storage of a shopper s movements might incur difficulties related to privacy concerns. 31 With the Take and Shake scenario, location determination or cashier identification is irrelevant because the shoppers would identify themselves. With NFC, location determination is also irrelevant because of the short range over which the payment transaction occurs. 32 Our conclusion is that, compared to BLE, NFC remains the preferred technology for the in-store mobile payment transaction. We also believe that BLE has the potential to improve the overall shopping experience surrounding this secure payment transaction because of the enhanced location-based services BLE makes possible for target shoppers. 33 8

IMPACT UL is committed to staying abreast of technological advancements to safeguard transactions; enhance their security, interoperability and effectiveness; and protect shoppers, retailers and service providers. In the case of BLE, and the debate about how this technology compares to NFC as a payment platform, our conceptual models enabled us to develop a robust set of insights. Our assessment is that NFC provides the most secure mobile technology for retail payments. We will, however, closely monitor future developments with both BLE and NFC and update our assessment as warranted. 9

SOURCES 1 Smartphone Users Worldwide Will Total 1.75 Billion in 2014, emarketer, 16 Jan. 2014. Web: 6 June 2014. http://www.emarketer.com/article/smart phone-users-worldwide-will-total-175-billion-2014/1010536. 2 Ibid. 3 Walker, B.K., Retail In Crisis: These Are The Changes Brick-And-Mortar Stores Must Make, Forbes, 12 Feb. 2014. Web: 6 June 2014. http://www.forbes.com/ sites/jeremybogaisky/2014/02/12/retail-in-crisis-these-are-the-changes-brickand-mortar-stores-must-make/. 4 Gartner Says Worldwide Mobile Payment Transaction Value to Surpass $171.5 Billion, Gartner, 29 May 2012. Web: 6 June 2014. http://www.gartner. com/newsroom/id/2028315. 5 Mobile Payments to Hit $1.3 Trillion by 2017, MobilePaymentsToday.com, 15 Aug. 2012. Web: 6 June 2014. http://www.mobilepaymentstoday.com/news/ mobile-payments-to-hit-13-trillion-by-2017/. 6 NFC Trials, Pilots, Tests and Live Services Around the World, NFC World, 30 June 2014. Web: 11 June 2014. http://www.nfcworld.com/list-of-nfc-trialspilots-tests-and-commercial-services-around-the-world/. 7 Van Klaarbergen, S., Mobile Payment Transactions: BLE and/or NFC?, UL, 2013. White paper, 13 May 2014. 8 Ibid. 9 Ibid. 10 About Bluetooth Low Energy Technology, Bluetooth, 2014. Web: 6 June 2014. http://www.bluetooth.com/pages/low-energy-tech-info.aspx. 11 Van Klaarbergen, S., Mobile Payment Transactions: BLE and/or NFC?, UL, 2013. White paper, 13 May 2014. 12 Marcus, D., Three Trends That Might Transform the Retail Payments Experience, PayPal, 16 April. 2014. Web: 6 June 2014. https://www.paypalcommunity.com/t5/paypal-forward/three-trends-that-might-transformthe-retail-payments-experience/ba-p/800878. 14 Ibid. 15 Van Klaarbergen, S., Personal interview, UL, 4 June 2014. 16 Ibid. 17 Ibid. 18 Ibid. 19 Ibid. 20 Ibid. 21 Ibid. 22 Ibid. 23 Ibid. 24 Ibid. 25 Ibid. 26 Ibid. 27 Ibid. 28 Ibid. 29 Ibid. 30 Ibid. 31 Ibid. 32 Ibid. 33 Ibid. 13 Van Klaarbergen, S., Mobile Payment Transactions: BLE and/or NFC?, UL, 2013. White paper, 13 May 2014. 10

TRANSACTION SECURITY ARTICLES MOBILE PAYMENTS SECURING HCE MOBILE PAYMENT SECURITY: BLE OR NFC SECURE PAYMENTS BIOMETRICS FOR PAYMENTS TRANSIT TICKETING CONTACTLESS INTEROPERABILITY IN TRANSIT NEXT GENERATION TRANSIT TICKETING 11

To learn more, explore the New Science of Indoor Air Quality, Transaction Security, Sustainable Energy, Workplace Health & Safety and Fire Safety. Watch our videos, read our journals, articles and case studies, scroll through our galleries and meet our experts. VISIT US ON UL.COM/NEWSCIENCE NEWSCIENCE@UL.COM +1 847.664.2040 New Science Transaction Security cannot be copied, reproduced, distributed or displayed without UL s express written permission. V.16. UL, the UL Logo and NEW SCIENCE are trademarks of UL LLC 2014.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information