White paper: Non-NFC based Mobile SEPA Card Proximity Payments

In recent years, non- Near Field Communication (NFC) proximity technologies (e.g. QR-codes, Bluetooth-Low-Energy (BLE)) have been introduced in the market for various mobile payment services to enhance the consumer experience and to bring additional functionality and services to the customer (e.g. integration of payment with loyalty) and to overcome the lack of accessibility to the NFC antenna on some mobile operating systems.

However, in comparison to mobile contactless card-based payments (MCPs), the European market is still less mature with respect to the usage of these non-NFC based technologies for mobile payments. Additionally, standardisation efforts aiming at interoperability of these solutions are in their early days.

In November 2018, the multi-stakeholder group on mobile contactless Single Euro Payments Area (SEPA) card payments (MSG MCP), facilitated by the European Payments Council (EPC), has developed a white paper to provide a high level overview of non-NFC based mobile card proximity payments (MCPPs), utilising SEPA cards as the underlying payment instrument. After having held a 3-month public consultation on the document until 14 February 2019, the EPC published today its final version.

In view of the current market deployments, the document has been restricted to proximity payments based on QR-codes and BLE technologies.

In addition to MCPP use cases, the document provides some insights into transaction characteristics and impacts on the Points of Interaction (POIs). The white paper further mentions in the document some opportunities but also a number of gaps and challenges that are existing today and, if properly addressed, could encourage the market take-up of MCPPs.

Challenges
In various countries, the proximity solutions described in this document have been introduced by domestic card payment schemes, Mobile Cardbased Proximity Payment (MCPP) providers and retailers to be able to reach their consumers. However, because of the lack of standardisation, many different MCPP solutions exist in the market today. This means that consumers who would like to purchase across a range of merchants or cross-border may need to download many different MCPP applications on their mobile device in view of the proprietary implementations.

The usage of these proximity payment solutions also comes for the retailers with a cost for the adaptation of their card acceptance environment (e.g. the POI terminals). Here a distinction is to be made between the adoption of BLE technology at POIs (“Point of Interactions”),that may require a hardware change versus the adoption of QR-codes which may only require a software update and, in case of support of the consumer-presented mode, a QR-code reader.

Recently, EMVCo has published dedicated specifications for the usage of QR-codes. However, it is to be noticed that many of the solutions available in the market today have a proprietary format. In view of the further take-up and interoperability of QR-code based mobile card payments, the migration to the EMVCo specifications needs to be addressed.

A QR-code code may be static, e.g., merchant account data and related payment details for a fixed transaction amount (typical use case of a transport ticket) or may be dynamic to initiate/identify a single mobile card transaction (e.g. at a POI).

Tampering QR-code data may lead to fraudulent transactions or data leakage. Therefore, the sensitive payment data in the QR-code should be adequately protected (e.g., through encryption and digital signature based on public-key cryptography.

The integrity of the QR-code should always be checked if security mechanisms have been implemented (e.g. digital signature) and, if possible, the sensitive payment data retrieved could be checked against available data in the backend systems.

BLE is a potential alternative to NFC for electronic payments with mobile devices at the POI. Both transmission methods work bidirectional and have a sufficiently fast transmission rate.

BLE transmissions can be made secure against unauthorised intrusion if they are operated as a connection with multi-level dynamic key allocation. Static key assignment limits security. When the key is transmitted, exactly this part of the communication is particularly at risk, since only the successful exchange of the key protects a BLE connection.

Unlike NFC, with radio ranges of typically < 10 cm, BLE has ranges of many meters, depending on its range class. This causes practical problems for use at the POIs, as several mobile devices can be in the reception range of the POI. As a consequence, a card payment must be explicitly confirmed by the consumer on the mobile device once the connection has been successfully established – in other words, a „Tap & Go experience” is not possible. In comparison, NFC-based card payment avoids this problem because the connection and payment confirmation may be made by simply “tapping” the mobile device at the POI in a “single step”.

In analogy to NFC technology, the usage of the BLE technology for making proximity payments requires that the Bluetooth functionality on the consumer’s mobile device is switched on, which should be handled by the MCPP app.

Finally, there is a lack of standardisation for the adoption of BLE technology for MCPPs (e.g. common specification for radio range on POI, transaction processing) and “common” customer experience guidelines.

Another challenge may occur when the POI supports multiple proximity technologies. In such an environment, the consumer’s mobile device may perform a transaction over an unintended interface (e.g., consumer presented QR-code and in parallel an NFC-based transaction). However, this problem could potentially be avoided by appropriate implementation measures and will be further analysed by the ECSG.

Download the white paper here: Non-NFC based Mobile SEPA Card Proximity Payments, June 2019