Mobile WalletsUsing Your Smartphone for Brick-and-Mortar Payment

Traditional Methods of Payment

•Cash•Check or Money Order•Traveler’s Checks•Credit Cards and Debit Cards•Pre-paid Cards (e.g., Gift Cards,

MetroCard)•Combination Cards (Loyalty Plus Payment)

▫e. g., Starbucks Card•NFC or RFID Tokens (“tap to pay”)

Cyber Payments

•Secure Web site▫Uses credit card numbers, often with CVV

•Cyber Wallets▫PayPal, Amazon.com, iTunes, Google

Wallet, Apple Pay•Cryptocurrency

▫Bitcoin, eGold, etc.

Mobile Payment Processing

•Moves credit/debit card processing to the mobile device▫Square▫Pay Anywhere▫PayPal Here▫Intuit▫Assorted mobile Point of Sale (POS) apps

Mobile Payment Processing

Hybrid Payment Systems• Moving cards and cyber wallets to mobile

devices▫PayPal app – access your PayPal account▫Amazon apps – purchase merchandise, MP3s▫Google Wallet – for Google Play, Google Wallet-

enabled apps, NFC▫ iPhone Passbook▫Loyalty+Payment card apps

Starbucks, Dunkin Donuts, etc. (scan to pay)• Balances can be spent online, on mobile,

and/or in store

Hybrid Payment Systems

NFC: Payment’s Next Iteration?•NFC: Near Field Communication

▫Devices must be in close proximity (2-3 cm)▫Login plus secure PIN to access payment method▫“Secure element” within the NFC chip makes

stored information device-specific NFC-stored payment information must be manually

migrated to upgraded devices▫“Tap to pay” requires separate supporting logic

chips and antenna iPad Air 2 and Mini 3 use their NFC chip only for

its secure element for storing payment information

How NFC Wallets Work• NFC radio must be turned on in Settings

▫ I usually turn this OFF when not actively using it▫Apple Pay app automatically turns NFC on and off

• Launch wallet app▫You may also need to tell the cashier you’re paying

with Google, Apple Pay, etc.• Choose payment card from app• Hover phone over payment terminal• A buzz or sound will tell you that your payment

method has been accepted.• You may still need to confirm the payment and/or

sign the screen

NFC-Enabled Wallets•Google Wallet•Apple Pay•Wallet for Windows Phone 8•Isis/Softcard (purchased by Google and

suspended as of 4/1/15)

Google Wallet• Hover/tap to pay option on Android phone and

iPhone apps• Requires NFC-equipped terminal and enabled POS

• “Buy with Google” banner on mobile Web sites and enabled apps (may be limited to Android and iPhone)

• Payment information stored in online Google Account, not in NFC Secure Element• This is called Host Card Emulation (HCE)

• Limited number of banks and loyalty programs• Subject to Fake ID Exploit

Apple Pay• Hover/tap to pay option only available on iPhone 6

series devices (or iPhone 5 with add on NFC case)• Wallet information requested upon iOS 8 set-up

(new devices)▫Used as backup payment method for iTunes,

AppStore, and Apple Pay-enabled apps• Apple says it stores payment information (bank

cards, etc.) in the secure element of the NFC chip▫While it requested the information for setting up my

iPad, my computer says my iTunes account is still set to pay with PayPal and doesn’t provide an Apple Pay option

Wallet for Windows Phone 8

•API supports both bank and loyalty transactions

•User app is available for both Tap To Pay and Microsoft Store online purchases

•Developer side appears to be white-label back-end system

•More information here

Softcard (formerly Isis) - DEFUNCT

• Hover/tap to pay• Was available for Android, iOS, and Windows

Phone• Complete NFC solution

▫NFC is built into most current-generation smartphones

▫Financial information stored in NFC secure element • Limited number of participating banks and

services• Included additional loyalty programs and

incentives• Purchased by Google and suspended 3/31/15

Paying With NFC

Android Settings

Google Wallet

Apple Pay

Other Mobile Payment Options• Bar Code Scan Apps

▫ Loyalty + Gift Card Starbucks, Dunkin Donuts Connected through customer’s loyalty account

▫ Apple Passbook (iPod, iPhone only)▫ PayPal Mobile App▫ CurrentC

Developed by Paydient, which is being acquired by PayPal• Open (Numerical) Code Apps

▫ CurrentC (Gas pump purchases)▫ BK Crown Card/Mobile App

• Social Payment Apps▫ Venmo –PayPal-based social and business payments (mixed

reviews)

How Merchant/Loyalty Code Apps Work• Open the app as you approach the register• Tell the cashier you’re paying with the merchant’s

app• Choose “pay” in the app• Choose the card you wish to pay with

▫ I have had several Starbucks cards given to me; I use the app to transfer the balances to a single “default” card

• Click “pay” to generate a bar code or PIN code• Show the code to the cashier

▫ Bar codes and QR codes are scanned; PIN codes are entered manually

• A beep will tell the cashier your payment’s been accepted

DD Perks: A Bar Code Payment App

How MultiMerchant Bar Code Scan Apps Work• Open the app

▫You can do this before approaching the register• Choose the merchant from the selections in the app

▫Pay Pal presents a list based on your current location, or you can search from the menu

• Tell the merchant you’re paying with the app• The app will either

▫Generate a code for the merchant to scan or enter▫Tell you to scan or enter the merchant’s transaction

code▫Tell you to enter your mobile phone number and PIN

at the merchant’s terminal

PayPal Mobile Payment

PayPal Mobile Payment

Pay With Open Code

•Log in to app•Select merchant or payment method•Present code to merchant•Merchant enters payment method or

loyalty card menu, types in 4-digit code

Burger King – an Open Code App

Burger King Loyalty and Payment

A Bit More About CurrentC• Created by Paydient for MCX (Merchant Customer

Exchange) – a consortium of major retail chains• Combines payment, loyalty, and coupon

information in a single QR code• Designed to directly access bank accounts to save

merchants card processing fees• Collects personal information for marketing

purposes• Merchant, customer, or both may need to scan QR

codes (not unlike the Pay Pal app)• May have already been hacked

Mobile Payment Incentives• Dunkin Donuts and Softcard have offered

referral incentives• Burger King, Softcard (and associated My Coke

Rewards accounts) offered purchase incentives• Loyalty programs usually reward in merchandise

or in “points” to be redeemed for merchandise▫ Exception: during much of 2014, American Express and

Softcard offered monetary rewards for using the AmEx Serve prepaid card through the Softcard app

• Most incentives disappeared after the announcement of Apple Pay. Burger King’s BK Crowns expired 4/28/15.

Mobile Wallet Security•Pros:

▫NFC: Short-range radio, secure element for info storage, dual identification required Apple Pay only requires fingerprint or PIN HCE only uses NFC for communication

▫Magnetic stripes cannot be force-read (street device) if cards are not present

▫Multiple-factor authentication available for some apps PayPal can use email/password or mobile-

phone/PIN in conjunction with app-loaded photo

Mobile Wallet Security•Cons:

▫Can the NFC radio and/or the app(s) be hacked? Emails have already been hacked from CurrentC New RFID chip readers and antennas can read

current-generation chip credit cards from a distance

▫What if you lose or break your device (or it is stolen)? Security apps, remote wipe of device Card management through computers/Web

▫PayPal mobile does not allow for a separate PayPal security token

Retrofitting• Some mobile wallets provide credit services

and physical credit cards▫Amazon Card▫PayPal Credit

• Some mobile wallets provide credit/debit-style cards to access your online balance offline▫Google Wallet Card▫PayPal Credit

• NOTE: Mobile wallet-based physical cards have the same security issues as traditional credit and debit cards

Other Considerations•Availability Issues•Resource Management

▫Money distribution▫Device space limitations

•Back End Security•Privacy

Availability Issues• Despite

what the availability map sayswhat the payment terminal saysthe fact you’re using the merchant’s own app

▫ The merchant/location may not have enabled mobile payment

▫ The merchant/location may have disabled mobile payment CVS, Rite-Aid, etc. (MCX contract terms?)

• The cashier may not know how to process mobile payment

• Hardware issues▫ Scanner, radio malfunction

Resource Management• Money distribution

▫ How many different places do you want to store money? (What if you suddenly need it all in one place?)

• Device space limitations▫ How much room on your device do you want to allocate

to wallet apps and loyalty apps? How many of these apps come pre-loaded as “carrier

bloatware”?• What if you don’t have a data plan (or a 3G/4G chip)?• Many wallet apps are unavailable for tablets

▫ How many mobile phones do you want to be paying for?

Back End Security•Your financial information is only as secure

as the systems through which it is sent•Banks, stores, payment processors are still

weak links• Database breaches have become increasingly common

and wide-scale• Debit card and ACH (direct withdrawal) fraud victims

don’t have the protection and legal recourse that credit card fraud victims have

• While stores may no longer have your card information, they do have increasing amounts of other personal information

Privacy• Do you really want Google, PayPal, etc. knowing all your banking

information as well as your personal info?

• Do you want multiple digital wallets having your banking information?

• Store security cameras and transaction timestamps can still trace what you bought (and when) back to you in two or three steps

• High-end (current generation) store security cameras can probably capture your security PIN

• Free in-store Wi-Fi, and Bluetooth beacons, can capture where you are in the store at any moment

• Proposed paths for mobile commerce evolution include drawing all customer information from one’s mobile phone number

NFC Security: Resources

•8 Myths About Mobile NFC (Gemalto Security)

•How Secure is NFC Tech? (How Stuff Works)

•Security Concerns with NFC Technology (NearFieldCommunication.org)

•Nearfield Communication (Wikipedia)•NFC FAQ (Smartcard Alliance)

CurrentC Resources

•Merchant Customer Exchange (MCX) Official Site

•CurrentC site•MCX: Wikipedia entry•BostInno article 10/28/14•Mobiquity article 5/28/14•Tech Crunch on CurrentC 10/25/14

More Resources

•Apple Pay and Privacy•PayPal Acquisition of Paydient 3/20/15•Mobile devices as proxy for identity,

4/16/15•More on the future of

Host Card Emulation (HCE)•Professional level reports on Mobile

Payments from Networld Media Group, home of Mobile Payments Today (pay to download)