Securing a future for NFC payments

This article is brought to you by Retail Technology Review: Securing a future for NFC payments.

The number of contactless/NFC payments being made in the UK continues to increase, as evidenced by VeriFone, who processed twice as many transactions in 2011 compared to the number processed for its clients in 2010, says Paul Holliday, Head of Marketing at VeriFone.
 
However, in order to really progress, the availability of the technology for acceptance remains key. If customers get a chance to use their contactless cards and mobiles and know where they can use them, they probably will on a regular basis. The number of contactless cards in circulation in the UK is expected to reach 30m by the end of 2013, but this means nothing unless retailers have the technology to accept them.
 
By implementing a contactless payment capability in store, retailers enable rapid processing of low value transactions. Provided the value of goods or services purchased is less than 15, their customers simply tap their contactless-enabled credit or debit card, or NFC-enabled mobile phone, on the contactless-enabled payment device - and that's that. No waiting, no digging in pockets for cash no change required and no time wasted. No till needs to be opened.
 
Contactless payments are perfect for retail environments, fast food outlets, cafes, bars - in fact anywhere with high traffic and low value transactions. Contactless payment capability can also increase a retailer's average transaction value as customers are not constrained by the amount of cash in their pocket.

Contactless challenges

A new technology like NFC needs several years to bed in; other technologies, such as SMS, took time. Orange launched free SMS in 1994, but it wasn't until 1996 that usage justified charging for it and another two years before it really took off.

Similarly MMS, Bluetooth, mobile email and more all hung around in phones for three to five years before there was any great uptake.

No one will buy a mobile phone just because it has NFC. They are much more likely to buy it for its camera resolution, its range of downloadable apps or how it looks. So NFC needs to be in the phones people are buying anyway and even then you can't expect them to use it. There will be a few people who do, including; the tech savvy, journalists and above all, fraudsters. If there's the slightest sign of a loophole in the security, then criminals will jump on it. NFC needs to be extensively tested and monitored.

Which brings us to the problem of who is going to pay for it; the network operator or their customer, you and me or the handset manufacturer?

That is a tough one. NFC adds cost and somebody will have to pay for it somehow.

Finally where can we use this great technology?  Some retailers and players are rolling out payment acceptance functionalities but this too is proving to take time, cost and effort.  Convincing more businesses to implement and then promote their NFC capabilities will be as important as actually getting NFC technology into the hands of the end user.

Security measures

The emergence of payments via NFC and mobile commerce technologies have become the top issues for the payments industry. It presents great opportunities for growth, but because of an inconsistent approach to security on the software currently being developed for mobile devices, there is a real concern that the industry is trying to run before it can walk.
 
Unlike payments processed via a chip and PIN entry device, there are no common standards for mobile applications. This means that some companies developing these applications are doing so without incorporating adequate measures to protect sensitive cardholder information.  Over two-and-a-half years ago, VeriFone introduced the first PA-DSS certified solution offering Point-to-Point Encryption (P2PE) technology for the benefits of UK retailers. Yet it has taken until now for the regulatory body, the PCI Security Standards Council (PCI SSC), to publish its first guidelines on P2PE applications.
 
There is a danger that the security guidelines and the resulting security software developments will not keep pace with retailer and consumer demands for payment services from a mobile phone.
 
New payment methods will continue to be exposed to security threats, as mobile handset manufacturers and software application developers continue to trial the latest innovations more quickly than the industry standards bodies can introduce new standards to secure them. Retailers must therefore ensure that they work with a payment service provider, such as VeriFone, which has exhibited a track record in payment security to protect both their customers' sensitive card data and, ultimately, their own reputation.