History of Cloud-based Payments in MeaWallet and Globally

As part of this article, we will introduce you to our journey as a vendor for Cloud-based Payments. What does it mean to be the first in an ever-changing technology? And how to comply with constantly changing requirements? Or in other words – the History of Cloud-based Payments at MeaWallet and globally.

1978 – The Beginning!

First NFC-card prototype

It all started in 1975 with rocket scientist and inventor – Helmut Gröttrup and Jürgen Dethloff. The engineers joined efforts and created the first ‘smart card’, a small card where the microprocessor and memory were joined together. It was easy to move, store and use. It did not require any power to store data and could be read and written through a simple interface.

In 1978, UPS granted a patent for their invention of first “smart card”. Mass usage started in 1983 in France, where such cards were issued for payments in payphones. Less than 10 years later (1992), France started to issue the first payment cards which allowed payments to merchants. These merchants did not need a connection to the internet as the cards stored the total available amount on to them. A few years later many European countries started to use these prepaid cards.[1]

In 1997 the world was introduced with JavaCard – special Java version created for Smart Cards.[2] It simplified application development of all Smart Cards. Today more than 4 billion devices are using it – every SIM card and every payment card.

Smart Card – also called integrated circuit card (ICC) – a small device with embedded integrated circuits. The two most popular versions are ‘SIM card’ (UICC) and plastic ‘payment card’.

2004 – NFC is born!

NFC was first released in 2004. The ‘NFC Forum’ founded by Sony, Philips, and Nokia worked to establish it as a high technical standard.

“NFC is a short range (4 inches/10 cm) wireless connectivity technology that evolved from a combination of existing contactless identification and interconnection technologies. Operating at high frequency (13.56 MHz), it transfers data at up to 424 Kbits/second. NFC provides intuitive, simple, and safe communication between electronic devices.” [3]

2005 – 2011 Move to Mobile

Only a year after NFC was invented, VISA started its trial for proximity payments in phones.

2005, December – “Visa participated in a first-of-its-kind NFC trial for mobile phone proximity payment and content downloads (..), working with Philips Semiconductor (NXP), Nokia, Cingular, Chase, and ViVOtech.” [4]

MasterCard follows the footsteps of VISA, and a year later announces the same type of trial as well.

2006, November – “MasterCard Worldwide announced a market trial of the use of NFC enabled mobile phones for “Tap & Go” payment in partnership with Nokia.” [5]

The next few years were full of speculations about payments and predictions. Internet was flooded and expectations were it would be big… but was it?

Issues

#1 The first issue was mobile device compatibility. Phones were not built for payments. Manufacturers started to add antennas and secure elements, but the quality varied from device to device. In 2008 MasterCard released approval guides for device manufacturers to comply with requirements for its PayPass standard.

  • ‘PayPass Vendor Testing Guide (Cards and Devices) Version 1.1 – May 2008’
  • ‘Mobile MasterCard PayPass Testing and Approval Guide December 2009 – Version 2.0’

#2 The next issue was the card itself – it is not a simple mobile application, which can be downloaded from anywhere on the internet and placed in the phone. There are lists of security mechanisms and protocols defined by GlobalPlatform [6], which needs to be followed in order to load a card into the secure element.

#3 Availability of the Secure Elements – as the form factors are different (embedded SE, micro SE) and not all devices had SE. The most obvious approach was then to use SIM (UICC) card.

#4 Biggest issue – access to the secure element. Not everyone has access to it, as it is only granted by the manufacturer to special companies, Trusted Service Managers (TSMs). One of such TSMs is Mobile Network Operators (MNO). Most of the mobile payment projects required banks to involve local Mobile Network Operators to personalize phones’ SIM cards with their payment cards. This was very expensive, and due to all issues listed here, it never quite worked with end-users.

It was 2011 and everyone began to lose hope to have a common approach to payments from mobile devices when Google introduced “Google Wallet”. Google started to offer their own prepaid card, and it felt like “this is the time… when payments will kick-off”.

Google and Isis

As Google Wallet was launched in the US, Google wanted the wallet application to be pre-loaded on all new devices. “Verizon, AT&T, and T-Mobile did not like the Wallet initiative one bit. They refused to sell Android phones containing the Wallet app. Why? Because they were cooking up their own competing phone-payment system, originally called Isis. (The name changed to Softcard after the word “Isis” became better known as an Islamic extremist group.)”[7]

After this, Google Wallet slowly disappeared. Hope was lost once again, and it was time for a revolution…

Secure Element in a Cloud!

In September 2012, an unknown company called ‘SimplyTapp’ proposed to store secure elements in the cloud. “Instead of storing private data, such as payment card details, in a secure element (SE) on the phone, SimplyTapp stores data in a “remote secure element” in the cloud. When a consumer makes a purchase, the data is pulled down from the remote secure element and passed through the phone to the POS terminal”  [8]

The first form of Cloud-based Payments was born!

A year later, in April 2013, first source code changes appeared to CyanogenMod (custom version of Android OS) regarding Host Card Emulation (HCE).[9]

Later the same changes were also added to the Android OS [10], and October 31, 2013, Android releases OS version 4.4 (KitKat) – the first OS version with Host Card Emulation support. [11]

Many noticed this change and worked to provide payments from the cloud. The first thing that was noticed was that mobile network is not available to everyone, and there are many places where the networks do not exist at all. If the customer cannot rely on this payment method, it will not be used. Therefore, instead of streaming data real-time from the cloud during a transaction, it was replaced with partial downloads of keys. Each downloaded key was only usable for a single transaction. This made the solution less secure, but more reliable.

It had a momentum and many new companies appeared to offer HCE payments. All tried their best to build a solution as good and secure as they saw it necessary. Big payment networks needed to react fast.

2014, February 19 – MasterCard and VISA both announce an intent to create specifications describing functional and security requirements.

  • ”MasterCard today announced it will publish a specification that leverages Host Card Emulation (HCE) for secure near field communication (NFC) payment transactions. The approach will enable consumers to easily use their MasterCard-branded cards on their NFC-enabled phones to make contactless payments.” [12]
  • “Visa today announced it is offering clients new options to securely deploy mobile payment programs, including for the first time an option to host Visa payWave-enabled accounts in a secure, virtual cloud. The move expands Visa’s support for mobile payments globally and will give financial institutions greater choice in offering consumers secure ways to pay with smartphones.” [13]

Vendors were ‘knocking’ at MasterCard’s doors, waiting for the set of specifications, as everyone wanted to build a fully compliant solution, but often projects cannot wait.

Only 4 months later, the first specifications started to appear, and ‘MasterCard Cloud-based Payments’ (MCBP) version 1.0 was born.

  • 2014, June – MasterCard publishes ‘MasterCard Cloud-based Payments – Product Description’, version 1.0
  • 2014, August – MasterCard publishes ‘MasterCard Cloud-based Payments – Credential Management System – Functional Description’, version 1.0.
  • 2014, December – MasterCard publishes ‘MasterCard Cloud-Based Payments – Transaction Management System – Functional Description’, version 1.0.

MCBP version 1.0 requires the users to authentication themselves for every transaction with a Mobile PIN. This triggered a lot of complaints from issuers and vendors, as they were ready to take the risk to lower security and improve the user experience.

In 2015, July, MasterCard introduces support for multiple Consumer Device Cardholder Verification Methods (CD-CVM). For example, usage of lock-screen.

In 2015, October 15, Android released OS version 6.0 (Marshmallow) [14] with improved lock-screen handling, which allows mobile applications to properly use it as CD-CVM for the first time.

A new version of MCBP 1.0+ was released in April 2016, which also added support for ‘Card-Like User Experience’, an experience similar to the contactless plastic card. The cardholder can perform multiple Low-Value Transactions (transactions below a certain limit) without any authentication, and only authentication himself/herself during High-Value Transactions.

In 2017, May 1, MasterCard released MCBP 2.0 specifications. It included many changes and improvements to fix issues noted in MCBP 1.0/1.0+. Opposite to the first release, now MasterCard had more time to work on new specifications, which was visible from quality and quality of available information.

August 21, 2017, – Android release OS version 8.0 (Oreo) [15] with additional lock-screen management functions to allow mobile payment applications to use it for prolonged CD-CVM.

But Wait – Apple Pay?

Apple Pay does not use Host Card Emulation, but Secure Element instead. This means that the full content of the card is loaded in your phone, stored inside of the Secure Element with all the keys, and no cloud is needed.

This is the approach everyone attempted till 2014 and failed. Apple never had the same issues as they control the hardware, have access to the keys and they only have limited number of device types to test.

Apple started in 2013, when embedded Secure Elements was very popular, and used this approach in their implementation.[16]

 

If you want to know more about cloud-based payments, contacts us at sales@meawallet.com or by this contact form

Leave a comment

Your email address will not be published. Required fields are marked *