Near-field technology is the next major technological development that will impact the lives  of banking professionals. This is poised to increase the volume of low-value contactless  transactions, by allowing suitably equipped mobile phones to be used as payment devices or  travel cards. Already being tested in the field, the adoption of this application is  inevitable. However, while this development makes sense on a number of levels, it raises  significant issues concerning both fraud and data security.


The growth of the credit card industry since the first Diners Club card was issued in 1951  has been driven by a product that provides consumers with flexibility, security and  convenience for purchases from a huge range of outlets across the globe. However, in recent  years, the need for enhanced security to combat increasing levels of fraud has certainly  impeded the convenience factor. While the consumer in the UK has grown to accept the need to  comply with security checks such as Chip & PIN and input their personal identification  number for the majority of purchases, there are always certain instances in which cash is  still more convenient. This is a reality of the market that credit and debit card issuers  are eager to do away with and technology is now available to help achieve their aims.

The key to ensuring that credit cards are always selected as the most appropriate payment  method is by reintroducing the convenience factor. This can be achieved by using a credit or  debit card with a contactless chip that can be read while in close proximity, but not  necessarily in direct contact with, a point-of-sale device. The transaction can then be  processed without the need for the consumer to enter a PIN and wait for authorisation. 

In reality, this would allow consumers to purchase low-value items such as a newspaper or a  cup of coffee simply by passing their card over a reader while still in their purse or  wallet. The introduction of contactless payments introduces a range of benefits for  consumers, retailers and card issuers including speed and ease of use at the point of sale,  faster transaction times, increased spending per transaction, lower operational costs, and penetration into the cash payment market.

The technology that enables this form of contactless payment has been widely proven and is  currently used globally by major transport networks such as Transport for London and the  Mass Transit Railway in Hong Kong. Visa, MasterCard and American Express have all launched contactless payment initiatives.

In the UK, Barclaycard and RBS are rolling out contactless credit and debit cards and other  major issuers are starting to follow suit. Payment service providers such as TSYS supply  the payment systems and infrastructure that allows banks and merchants to transact payments  anywhere in the world. TSYS has firsthand experience of mobile and contactless payment  technology and will continue to develop its systems and infrastructure to keep pace with  advances in mobile and contactless payment technology to ensure that support is available  for any player, that wants to deploy or use this technology in the card payment ecosystem.

Having invested so much time, effort and capital in developing enhanced security systems to  combat fraud, some might perceive it to be a backward step to deploy a new payment solution  that doesn't use the basics of Chip & PIN. However, contactless payment solutions do use  Chip & PIN technology supported by a host of far more sophisticated security techniques that  will help reduce fraud even further than is currently possible.

The difference is that consumers are not asked to enter their PIN for every transaction.  Currently, contactless card transactions in the UK are generally limited to a maximum of £10  under UK Government guidelines and from time to time the cardholder will be asked to enter  their PIN as a security check. This limits the maximum number and value of consecutive  contactless transactions that can take place before a PIN is required to verify the user's  identity. TSYS Fraud Management welcomes these guidelines, which are designed to tackle  fraud associated with mobile phone and contactless payments, and to increase public confidence in this new and developing payments channel.

It is also worth noting that contactless payments and their processing do not need a  cardholder name, and because of the use of a dynamic card verification value, contactless  transactions can only be transacted and processed once. This measure prevents the repeat  transaction attacks that have been experienced with other transaction types. Therefore,  contactless payment will always offer much greater levels of consumer protection than cash.

The case for contactless payments can be developed further by utilising a mobile phone or  other handheld device as the host for the consumer's payment card. In this situation, the  technology is slightly different, deploying a Near Field Communication (NFC) chip. However,  the device still displays the same characteristics as a contactless credit or debit card with a resident radio frequency chip.

The use of the mobile handset for contactless payments also gives rise to a number of  additional benefits through elite functionality, including user-configurable security  protection that gives the ability to offer expenditure tracking to aid budgeting and  control. In addition to these benefits, it has been suggested by early trials that with the  enhanced functionality on their phones, users will take more care of their handsets. In concept-proving trials, users have also says they are less likely to carry wallets or purses  with their payment enabled mobile phones, reducing the potential loss from any theft.

Notwithstanding these benefits, however, security is still the major issue for contactless  payments, with huge challenges and additional risks to be addressed. The loss or theft of a  NFC-enabled mobile phone poses a similar fraud risk to loss or theft of a credit or debit  card. However, there are also additional specific risks associated with the technology.  Cards and mobile devices need to be configured to prevent unauthorised, fraudulent access  using a point-of-sale reader in the street or any other public place. Although contactless  cards and NFC-enabled mobile devices only have a range of up to 2cm, it has been demonstrated that card readers can be altered in order to increase the reading range to around 30cm - certainly enough to access someone else's contactless card in a crowded shop or train.

The card processing industry is very aware of these close proximity security issues and is  continually developing solutions to prevent unauthorised access. UK Government guidelines  will also apply to contactless mobile payments with a maximum transaction value limited to  £10 and a recommendation for the device to go online after every tenth payment in order to  verify the user's identity. This can be done using the device's inherent properties by using  a call centre with automatic number recognition, text messages or keying in a password using  the internet.

The guidelines also recommend that there should be a mechanism to remotely disable the  payment functionality of a mobile phone should it be lost or stolen. As the liability for  unauthorised use of a contactless mobile device currently sits with the card issuer, the  ability to receive and act on information about lost or stolen devices promptly is vitally  important. For contactless mobile transactions, individual card issuers will be able to  change the risk parameters of the periodic security checks for specific groups of customers  as appropriate to their own risk model. An additional benefit is the ability for card issuers to remotely disable the contactless payment functionality should a user breach terms and conditions.

A more advanced level of security that is being deployed for contactless mobile transactions  builds on the success of the adaptive authentication side of 3D-Secure in reducing card not  present (CNP) fraud. Rather than, or as well as, the user choosing a unique alpha-numeric  password, the mobile device making the payment can be screened by the point of sale terminal  during its first use and a unique master fingerprint produced automatically. This will be  based on a number of factors, including the device's own unique identification number and  less easily accessible details such as hardware profile.

The master fingerprint is then automatically associated with the user's card information for  future reference. When the device is next used, it is again screened by the merchant and the  fingerprint automatically compared with the master fingerprint to ensure that the device is  still associated with the correct credit card information. Any mismatch would indicate that  the card details have been cloned and transferred to a new device so the transaction would be terminated.

Payment transactions using a NFC-enabled mobile phone are not just limited to £10. Any  transaction over the maximum contactless value would be treated in a similar manner to a  standard card transaction with appropriate user verification (such as a PIN) required to  authorise the transaction. The mobile phone's standard features, such as text messaging, can  be used to speed up authorisation or detect fraud. For example, TSYS has developed a  security system on behalf of card issuers that automatically sends a text message to a mobile phone requesting verification when a suspicious transaction has been identified. A reply authenticating the transaction will update the account status. If the cardholder denies the transaction, the payment functionality of the device will be disabled.

While the technology is already available, the development of contactless mobile payments is  still at a very early stage of evolution to such an extent that not all stakeholders have  yet been identified. Business models and relationships are still being developed and it is  still unclear as to how all the players in the value chain will interact.

There is also the pressing need to ensure that existing relationships are not damaged by new  developments. Certainly, mobile phone vendors have never been backward in developing and  deploying new technology on their devices if it is likely to provide them with a Unique  Selling Proposition in the market place. However, what is less clear is how the devices will be deployed and how the business model will be divided up within the new ecosystem.

The development of contactless cards and NFC mobile phone technology has opened up a range  of possibilities that will bring improved convenience to consumers and increased  opportunities for the card payment industry. Revenue streams will expand to include  small- alue transactions, and new revenue streams can be developed by expanding the reach of  the contactless credit card. The union of the contactless Barclaycard and TfL's Oyster card  to produce the Barclaycard OnePulse is a prime example and one that will achieve increased  uptake as Oyster is rolled out on elements of the UK's national rail network. Security and  fraud prevention must remain high on the agenda with lessons learned and experience used to  ensure that risk is managed effectively. In the UK, there is support from all the major  stakeholders including Central Government which announced its aspirations of having  contactless mobile payments and e- tickets as integral parts of the ticketing arrangements for the 2012 Olympics. With this sort of vision and support behind it, the future of card payments most certainly is mobile.

Jonathan Hancock is senior consultant for fraud management at TSYS.