NFC payments on personal machines: PCI versus innovation (part I)

Nearly six-months ago Engadget reported that NFC payments may be coming to Lenovo laptops equipped with built-in NFC readers. Digging deeper, the headline proves somewhat misleading– Lenovo only announced that these models have an integrated NFC reader. The author appears to have optimistically jumped to the conclusion that they could be used to enable payments. (HP already beat them to the punch with the Spectre Envy over a year ago but the story neglects to mention that.) Humoring this line of speculation, it is a fair question what exactly stops users from completing an ecommerce transaction by tapping their contactless credit card to their laptop. This is an interesting case where technology is running well ahead of self-imposed certification rules.

Accepting payments vs. making payments

First one clarification: the Engadget story refers to using off-the-shelf devices as payment terminals (point-of-sale or POS in industry parlance.) This is not to be confused– which the article does– with using the device as a payment card, as in the case of making in-store payments with Google Wallet running on an Android device.

At a superficial level, both scenarios use the same technology and follow the same EMV suite of payment protocols. But the roles are reversed. In the first case the device is in card-emulation mode, behaving like an ISO-14443 compatible smart card. It is acting as the source of payment instruments. By contrast when a device is accepting payments, it operates in reader-mode and behaves like a point-of-sale terminal. The device communicates with the card over NFC to drive the transaction, ultimately obtaining necessary information to authorize a charge against the card over some payment network. (Somewhat confusingly both can be combined: tap Android phone running Google Wallet against NFC-enabled laptop. Earlier we described a proof-of-concept along those lines but it was used for authentication rather than payments.)

The scenario Lenova is supposedly piloting would fall into the second case: visit an ecommerce site and during checkout tap NFC-enabled credit card to pay.

Easy enough

Playing the role of an NFC-enabled credit card requires having cryptographic keys associated with that card. The information is not printed or encoded on the plastic card itself. It is not possible to collect this from the user and somehow convert an ordinary magnetic-stripe card into one that can successfully interoperate with compliant POS terminals. It is up to the issuer to decide what type of hardware they are willing to entrust with these keys. Due to the high security concerns around safety of payment information, that usually means special tamper-resistant hardware. In the case of mobile devices, this is  either an embedded secure element that is part of the phone hardware (used by Google Wallet) or hardened SIM cards with additional capabilities, as Google’s ill-fated competitor ISIS plans to leverage.

By contrast the reader side is not authenticated at all. Anyone can write reader software that will walk any EMV-compliant card through the transaction protocol. There is no “permission” required at the technology level for this. Of course there is a very stringent certification process for anyone one planning to manufacture and sell credit card readers for use in commercial settings. But such criteria  exist above the application protocol layer. The wire protocol has no provisions for recognizing when a particular reader is “EMV-approved” and declining to proceed with payment. From a strict compatibility perspective, there is no reason why any laptop, tablet or smartphone equipped with an NFC reader could not function as point-of-sale terminal for accepting payments.

Proof-of-concept, no assembly required

MasterCard provides a Paypass emulator— Paypass being the MasterCard variant of EMV contactless payment protocols. This emulator runs on a Windows, executing a “payment” complete with a trace of messages exchanged with the card. Running the emulator typically requires an external smart-card reader attached to the system, compatible with the PC/SC standard used by Windows for reader hardware. But as we pointed out, many laptops are already shipping with integrated NFC readers. Given appropriate PC/SC device drivers, these can function as smart card readers. In fact we demonstrated this earlier by using an NXP provided PC/SC driver for the PN533 in HP Envy laptops for a proof-of-concept.

The only part of this simulation requiring quotes around “payment” is that no money changes hands. The emulator is not connected to any payment processor or issuer that will act on the information obtained by the card. But the card itself has no idea whether funds were actually moved. All of the bits exchanged over NFC are identical in both cases.

(Caution: the Paypass protocol includes an “application transaction counter” or ATC. Each completed tap– even when the reader is not connected to an actual cash register and no money is exchanging hands– will increment the ATC. If the ATC on the phone gets too far ahead of the ATC stored by the card issuer, future payments may be declined. Luckily in the case of Google Wallet, performing a full wallet-reset from Settings menu will provision a brand-new card with ATC reset to zero.)

Missing pieces

The proof-of-concept covers the first hop– from the card to the NFC-equipped laptop. But that is not quite the full picture, since transaction data must eventually make its way to the remote website or service and from there into the payment rails associated with a network such as MasterCard or Visa. So what are the missing pieces?

  • Browser integration
  • Differences in payment authorization between what websites use today and data generated by an NFC transaction
  • Compliance with payment network regulations




Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s