According to research conducted by Strategy Analytics and reported by NFC World, more than 100 million people will make an NFC (near-field communication) mobile payment in 2016. And within five years, the value of transactions conducted via NFC handsets will skyrocket to an estimated $240 billion.
Digital wallets, such as Apple Pay, Samsung Pay and Android Pay, sit squarely at the center of this growing market. And while the experts agree that all roads lead to a future economy that revolves around mobile, consumers to-date have been slow to embrace mobile payments, due at least in part to their perception that the technology is not secure.
The reality is that the tokenization technology securing Apple Pay, Samsung Pay and Android Pay transactions very effectively protects consumers from card fraud – and much more effectively than swiping a physical card, something consumers do routinely without hesitation.
As a credit union, you are well positioned to introduce members to digital wallet technology – and correct any misperceptions they may have. Taking the time to educate members on these valuable new resources will both help better secure their payments and ease the burden that card fraud places on your credit union.
Here is what your members need to know:
Near-Field Communication 101
NFC is the technology that facilitates Apple Pay, Samsung Pay and Android Pay at the point of sale. NFC enables contactless payments by allowing two separate devices that are each equipped with an NFC chip to exchange data when placed in very close proximity to each other. Today NFC technology is embedded in the vast majority of new card readers being manufactured and has been adopted by Starbucks, Macy’s, Walgreens and Target. Look for many, many more retailers to follow suit in the near term.
While NFC makes it possible for consumers to pay at checkout via a mobile device, tokenization is the method used by Apple Pay, Samsung Pay and Android Pay to secure contactless payments. It does this by replacing a personal account number (PAN) with a randomly generated number, or token. Because the token is specific to a given device, such as a smartphone, it cannot be used by a fraudster on any other device. When a contactless payment is initiated, a secure dynamic code is also transmitted that is specific to that transaction.
The primary reason that tokenization is highly secure is that it allows a consumer to conduct a contactless payment from end-to-end without transmitting an actual account number. The original PAN is not even stored on the phone and never passes hands to the merchant.
Instead, the PAN remains stored in highly secure token vaults behind the firewalls at payments networks. In the event that a token is compromised, it can be disabled and replaced by a new token. There is no need to close actual card accounts or reissue physical cards – all of that information remains safely out of the fraudster’s reach.
Securing Apple Pay
Apple was the first of the digital wallet providers to bring tokenization to consumers. Today, Apple Pay is available on the iPhone 6 and iPhone 6 Plus, and can also be used with the Apple Watch.
In order for tokenization technology to secure Apple Pay payments, a hardware component known as the Secure Element must be in place. For Apple Pay, the Secure Element is a physical chip that resides on the phone to prevent hardware and software attacks on the device. The Secure Element stores the token on the device and also assists in generating the one-time code for each payment transaction. Apple Pay transactions are further secured with biometrics, and today require the user to authenticate payments with a fingerprint.
Apple Pay also supports in-app purchases from participating merchants – look for the Apple Pay button as a payment option.
Tokenization by Samsung Pay
Samsung Pay is available on seven of the company’s Galaxy smartphones today. Across these devices, tokenization secures NFC payments in very much the same way it secures Apple Pay transactions. Each time a purchase is made, the Samsung Pay handset sends two pieces of data to the payment terminal. The first is the 16-digit token that represents the credit or debit card number, and the second is the one-time code or cryptogram that’s generated by the phone’s encryption key. The user’s fingerprint or PIN authentication is also required to authorize payments.
Samsung Pay offers a unique benefit to consumers, which is the addition of Magnetic Secure Transmission (MST) technology. MST allows Samsung devices to work with card readers that are not yet NFC-enabled – which means that Samsung Pay is universally accepted at checkout, even at terminals that are limited to magnetic stripe or EMV technology.
MST works by emitting a magnetic signal that simulates the magnetic stripe on a physical card and exchanges data directly with a terminal’s card reader. As a result, consumers can enjoy the speed and convenience of Samsung Pay wherever they shop – and all of their transactions are protected by tokenization, whether or not the merchant has NFC in place.
Android Pay and Host Card Emulation
Android Pay allows users to pay for purchases with an Android phone running Kit Kat (4.4) or higher. As with Apple Pay and Samsung Pay, Android Pay transactions are secured through tokenization technology.
One major difference between Android Pay and its rivals is that it employs a special form of NFC called Host Card Emulation (HCE). Unlike Apple Pay and Samsung Pay, this technology does not use the Secure Element embedded in the phone, but instead stores credentials, including the token data, in the cloud. Because Android is an open source code with thousands of versions, the Secure Element is not a viable solution.
Android Pay transactions can be authenticated using a PIN, password or pattern. Android Pay also supports in-app purchases from participating merchants.
Beyond the Digital Wallet
While digital wallets go a long way toward securing mobile payments, other complementary technologies can help as well. Look for Part 2 in this series to learn how credit unions and their members can further enhance payment security.