Paying for a café latte via smartphone or a ticket via smartwatch - contactless payment is convenient and fast. Thus, its global popularity is growing constantly, especially in the United States and China. Even in Europe, like Sweden, only one in five purchases is paid in cash. But how secure is contactless payment?
Within the last few decades, the global payment landscape has changed fundamentally. Credit cards deposited on smart devices and shopping websites increasingly replace cash and contact-based reading of credit cards at the counter. The fact that non-contact payment becomes more and more common is shown by a recently published study: While 2016 alone in the US 23.2 million users paid for goods and services contact-free, the market research company eMarketer predicts nearly 70 million users for 2019.
As a result, the number of smart devices sold is also increasing. The IHS Near Field Communications Report expects a worldwide delivery of a total of 340 million smart wearables, such as smartwatches, fitness tracker, key chains and rings, over the next four years. By comparison, the number of smart wearables delivered will reach an estimated 119 million devices at the end of 2016.
How does contactless payment work? For example, if an employee wants to buy a bottle of water from a vending machine, it suffices to place a payable smart device within ten centimeters to the payment terminal. Touching a designated area becomes superfluous. The terminal then deducts the corresponding amount via NFC chip and the payment process is terminated.
Compared to contact-based payment services, contactless payment offers some advantages to the consumer. Since the customer merely has to place her NFC-enabled device within the closer proximity of a payment terminal, but not within a designated area, there is no need to necessarily understand corresponding payment instructions on the display. The elimination of possible language barriers is thus beneficial to the consumer, above all, while on vacation or on business trips. For amounts of up to 25 euros, the customer usually does not even have to enter a PIN.
Near Field Communication (NFC) serves as an international radio standard for the contactless exchange of data within a short distance of a few centimeters. This technology turns mobile devices into a wallet, a ticket or a key. In contrast to Radio Frequency Identification (RFID), NFC uses the proximity of the corresponding device to the payment terminal in order to exchange secure keys at the beginning of a transaction.
These and other advantages save a lot of time. According to an American Express study, a non-contact transaction is 52 percent faster than a contact-based payment. Compared to cash, the time saving is even 63 percent. In absolute terms, inserting a debit or credit card into a reader connected to a cash register followed by the customer’s signature takes an average of 28 seconds. Contactless payment, on the other hand, takes less than 18 seconds in most cases.
Retailers also benefit from contactless payment, as it makes it easier for them to collect valuable customer data. For example, vendors can tailor marketing programs, such as loyalty points, much better to the needs of their customers. In addition, the retailer no longer has to handle cash, which saves a lot of time-consuming administrative expenses.
Large supermarket chains, discounters, and gas stations already support non-contact payment in Germany. Smaller shops will presumably change their checkout system once contactless payment has reached wider acceptance. This, however, may take several more years.
Usually, these customer data include sensitive information, such as bank data, which can fall victim to abuse. If this is the case, the fraud can have serious financial consequences for the consumer. In this respect, it is essential to secure the transmission of data sufficiently in order to create trust and a wide acceptance among users. For this purpose, Infineon provides hardware-based security in the form of Secure Element (SE).
Secure Element (SE) is a dynamic environment that secures and manages user data within a device such as a smartphone or smart wearable. Since Secure Element is limited to a single device, an attacker would have to hack every additional device from the beginning. Depending on each device, there are different types of Secure Element. NFC SE, for example, secures user data on a removable card (SIM card) built-in mobile devices.
Security chips from Infineon are deployed in different places on a daily basis. Barcelona, the second largest city in Spain and – according to Juniper Research – one of the Smart Cities of 2015, has used the electronic payment system "T-Mobilitat" for bus and train tickets as well as bicycles within the public transport network for almost one year. Passengers conveniently pay for the various means of transportation via smart card or NFC-enabled smartphone. Infineon’s security chips based on the open security standard CIPURSE protect user information, such as payment data, from attackers by storing them in a secure environment on the device.
Besides the combination of payment and ticket functions, which is not only used in Barcelona, but also in other urban areas such as Chinese mega cities, smart wearables are also increasingly used as a key to buildings or a shared computer network. In these cases, adequate security plays a central role too.
The fact that smart wearables are not only practical but also fashionable is demonstrated by the NFC Ring. The water resistant and discreet jewelry makes a very good impression while jogging along a beach or attending an elegant evening event. The NFC Ring works like a contactless payment card with the significant difference that the user carries it permanently on the body and therefore does not have to remember putting it in her pocket every time. Similar to a debit or credit card, the user simply holds the ring onto a suitable terminal in order to pay. Infineon chips enable security during this process.
The security solutions from Infineon are based on the guidelines of the Europay International consortium, MasterCard and Visa (EMVCo), including American Express, Discover Financial Services, and JCB. The merger of the largest international credit card companies defines global security standards, which security chips and payment terminals must meet. In addition to security standards, EMVCo allows users to pay with their mobile device in other countries.
Since the number of smart wearables and the acceptance of contactless payment for goods and services will increase in the future, the requirement for manufacturers of security solutions will also have to be adapted accordingly. Infineon already offers innovative chips for this field of application.
At the same time, according to the Handelsinstitut EHI, contact-based payment, such as the insertion of a bank or credit card into the slot of a payment terminal, followed by a PIN or a signature, will continue to coexist for the foreseeable future.