How Banks Can Keep Big Techs from Dominating Contactless Payments

Consumers worldwide are showing a preference for secure contactless payment options, and tech giants are trying to corner a lion’s share of these transactions. But 'host card emulation' can help simplify the matter for banks and credit unions.

If there is one word that has kept the banking and fintech industry awake (apart from COVID-19, that is) it would be ‘Contactless’. Payment options that reduce the number of interactions, while minimizing or eliminating any kind of contact, are going to define the way transactions are done in the post-COVID-19 world.

A forecast on contactless payments by analyst firm Juniper Research estimates that global contactless transaction values will triple from $2 trillion in 2020 to $6 trillion in 2024. Service providers from different industries are after this pie. Banks and card issuers globally are offering contactless cards and mobile tap and pay options to consumers. Payment players like Apple Pay, Samsung Pay and Google Pay are spurring contactless payment adoption in many countries. In Africa, Mobile Network Operators have made contactless payments at merchants possible with mobile wallets like M-Pesa, Airtel Money, Orange Money, EcoCash and MTN MoMo.

In Asia-Pacific, fintechs and start-ups like Alipay in China, PhonePe and Paytm in India, GrabPay in Singapore, Malaysia and Philippines have leveraged QR Codes to transform the payments landscape. With rise of the pandemic and people preferring hygienic no-touch payments, all these contactless payment services have seen significant growth in transactions.

Various surveys done in 2020 during the pandemic reveal that many consumers are wary of touching publicly shared point of sale devices. This has stimulated the use of contactless cards and mobile tap and pay NFC services (virtual versions of physical cards on an NFC enabled mobile phone used to make payments at NFC PoS), which provides consumers a safer, cleaner and faster way to pay, with control over physical proximity.

A survey from Mastercard shows that 79% of surveyed consumers worldwide are now using tap-and-go payments, citing safety and cleanliness as the key drivers. The trend is here to stay, as 74% of the surveyed consumers will continue to use contactless payments even after the pandemic is over. As per the Visa Back to Business Study, 48% of the surveyed consumers have changed the way they pay, shifting to contactless payments whenever possible. 26% of the surveyed consumers have used ‘tap to pay’ technology during the COVID-19 for in-store purchase for the first time.

Not just consumers, but businesses are also going contactless to meet consumer needs: 20% of the surveyed small and medium businesses have adopted contactless payments like mobile or tapping a card during pandemic. All in all, the future of payments cannot be complete without ‘contactless payments.’

Advantages of Using Host Card Emulation for Contactless

While physical contactless cards are hygienic and convenient, they also mean one extra item for the customer to keep track of, and to keep clean too. Also, banks have to bear the added cost of manufacturing one, and sending it to the customer (multiply a few million times). Mobile wallets are great until you run out of credit, and then the cycle of constant worrying about ‘Am I maintaining enough money in them’ begins. Each of them are good on their own, anyway. Why not have a ‘best features only’ combination?

That’s where host card emulation comes in. Host Card Emulation (HCE) allows users to have a virtual version of the physical bank card, be it credit or debit, on their NFC-enabled mobile phone and then simply tap their mobile phone on NFC POS machines to make the payment. In most countries for lower value transactions payments are processed without the need of consumer entering the PIN, making the transaction completely contactless and hence hygienic. For higher value purchases, a PIN or one-time password is required.

The transaction limit for PIN-less transactions varies from country to country — the limit in India for such transactions is INR 5000. The limit of PIN-less contactless transactions was raised during COVID-19 pandemic in many countries. For example, in the United Kingdom, the limit for in-store contactless payments was increased from £30 to £45 from April 1, 2020.

Using Tokens to Keep Transactions Secure

The security of customer data that is communicated with the POS terminal is managed by the underlying principle of tokenization. In terms of mobile payments, tokenization can be explained as a process of replacing the sensitive data stored on the mobile phone with unique identification symbols (digital tokens), which retain the essential data information without making any compromise on its security. In this process, the digital token masks sensitive card details, making the transaction secure.

This sensitive data is sent to a highly secure and centralized server in riskless Cyber-Source data centers and is exchanged only in return for a safe token. These safe tokens are generated only using proprietary algorithms and are resistant to reversibility. The size of the token, in terms of bits and bytes, fits well to the payment card data fields, and a token can support almost any authenticated payment action while protecting the customer against card breaches and loss of personal financial data.

Tokenization benefits everyone in the payments value chain. For consumers, tokenization protects against card breaches and loss of personal financial data. With the proliferation of connected devices with NFC capabilities, it is critical to ensure a card replicated by unscrupulous actors doesn’t result in more damage than anticipated. Tokenization helps to achieve this.

With card-on-file transactions on the rise and card management being done directly by the merchants, the risk of card information being compromised and leaked is increasing. The cost is borne by the card issuer, especially in card-not-present (CNP) transactions, and with e-commerce booming in the post COVID world, it is critical to protect these faceless transactions even more. Tokenization with built-in cryptography is the answer.

The increasing demand for contactless payments and the ease with which a physical card can be converted into a virtual one, has enabled launch of HCE based contactless payments in developed countries and emerging economies alike. For example, SBI Card, one of the largest credit card issuers in India with over ten million customers and a subsidiary of the country’s biggest bank, makes the HCE feature available for its customers through SBI Card Pay service. Developed in partnership with Comviva, this option is opt-in, where users have to register for SBI Card Pay service from the app to enable ‘tap and pay’ contactless payment service on their compatible mobile devices.

Not only does this provide an easy way for customers to pay in a contactless manner, it also negates the need to reissue thousands, if not millions, of contactless cards to the bank’s customers.

Raiffeisen Bank — one of the largest retail banking groups in Europe with 25 million customers in 15 countries — has launched contactless payment service RaiPay in multiple countries including Romania, Czech Republic, Bulgaria and Serbia.

COVID-19 has further accelerated the introduction of ‘tap and pay’ services. In September 2020, IDFC FIRST bank in India introduced the HCE-based contactless payment service with the name ‘SafePay’, highlighting the social-distancing friendly nature of the solution. In September 2020, Commercial Bank of Kuwait also announced a service that allows use of digital debit and credit cards to make secure contactless payments using smartphones.

While HCE feels like the relevant solution for the current environment, the need to get it right in terms of security is paramount. From managing the risk of exposing the payment section to malware and viruses to requiring a risk-based authentication for a legitimate device and user payment credentials, the process needs to be quick, efficient and robust, which can be achieved by working with a security-conscious technology partner adept at utilizing limited-use payment credentials (e.g., tokens, transaction keys) and other risk management techniques.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.