Tips & Tricks
2007 11 - emv mobile contactless payment white paper version 1.0 final
Like this document? Why not share!
Pedoman pengoperasian dan pemelihar...
Investigando sobre funciones del si...
by Hiram Baez Andino
Email sent successfully!
Show related SlideShares at end
2007 11 - emv mobile contactless payment white paper version 1.0 final
Jun 11, 2010
Comment goes here.
12 hours ago
Are you sure you want to
Your message goes here
Be the first to comment
Be the first to like this
Number of Embeds
No notes for slide
Transcript of "2007 11 - emv mobile contactless payment white paper version 1.0 final"
1. EMV Mobile Contactless Payment White Paper: The Role and Scope of EMVCo in Standardising the Mobile Payments Infrastructure Version 1.0 October 2007
EMV Mobile Contactless Payment White Paper: The Role and Scope of EMVCo in Standardising the Mobile Payments Infrastructure Version 1.0 October 2007 © 1994-2007 EMVCo, LLC (“EMVCo”). All rights reserved. Any and all uses of the EMV Specifications (“Materials”) shall be permitted only pursuant to the terms and conditions of the license agreement between the user and EMVCo found at http://www.emvco.com/specifications.cfm.
EMV Mobile Contactless Payment White Paper Version 1.0 Page ii © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 Contents 1 EXECUTIVE SUMMARY .................................................................................. 1 2 MOBILE PAYMENTS OVERVIEW .................................................................. 3 2.1 Market Background....................................................................................... 3 2.2 Mobile Proximity Payments.......................................................................... 5 2.3 Mobile Remote Payments.............................................................................. 6 2.4 EMVCo Prioritisation: Mobile Contactless Proximity Payments versus Mobile Remote Payments .............................................................................. 6 3 THE ROLE OF EMVCo IN STANDARDISING MOBILE PAYMENTS ......... 9 3.1 Progress to Date .......................................................................................... 10 3.2 EMVCo Future Deliverables....................................................................... 11 3.2.1 EMVCo: Traditional Role - ‘Technical Development’........................... 11 3.2.2 EMVCo: Industry Co-ordination Role................................................... 12 3.3 EMVCo Mobile Payment Working Group Road Map: Charting Deliverables .................................................................................................. 13 APPENDIX 1 EMVCo MOBILE PAYMENT WORKING GROUP – HIGH- LEVEL ROADMAP* ................................................................................................ 17 Page iii © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 Page iv © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 1 Executive Summary This White Paper aims to clearly define the role and scope of EMVCo in the development of a standardised platform for mobile EMV payments which will enable this type of payment method to be deployed on a mass market scale. EMVCo’s role in this respect is two-fold. Firstly, as the mobile payments sector is growing, there is an increasing need for EMVCo to address and resolve a number of technical infrastructure issues associated with enabling contactless proximity payments via mobile phone handsets. This ‘technical development’ responsibility is in line with EMVCo’s traditional role within the payments industry as a technology standards body. The mobile payment technical focus of EMVCo will be an adjunct to the organisation’s work towards the development of specifications related to contactless payment and associated common Type Approval process for cards and terminals. Secondly, there is an urgent need for the payments industry to adopt a collaborative approach to standardisation, due to the nature and early lifecycle stage of the mobile payments market. EMVCo will co-ordinate the payments industry efforts, in standardisation work with other industry groups and market forces in order that an interoperable mobile contactless proximity payment model for EMV transactions can be defined and created. A logical outcome of EMVCo’s role as mobile payments industry standardisation co-ordinator will be that the organisation becomes recognised as the common voice of the payments industry on mobile contactless proximity payments standardisation. EMVCo’s proposed role within the standardisation of mobile contactless payments can therefore be classified under two headings and broken down into a number of key deliverables: Technical Development: • To define chip data security requirements • To define a framework for Type Approval process • To define global interoperability from a technical perspective • To identify user interface issues Industry Co-ordination • To standardise mobile contactless proximity payment infrastructure requirements • To fill in ‘gaps’ which exist in the standardisation of Over-the-Air (OTA) card and application management (both secure element and user interface) • To shape the development of and refer to chip interface requirements October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 1
EMV Mobile Contactless Payment White Paper Version 1.0 • To actively engage relevant standards organisations on behalf of EMV involvement in the standardisation for mobile contactless proximity payment • To speak with a common voice to operators and banks about mobile payment opportunities, challenges and the need for standardisation. In order to deliver these outputs in a structured and timely manner, EMVCo has defined a ‘Mobile Payment Working Group Road Map’, which is included as an appendix to this White Paper. This document charts the work priorities of the organisation, and provides an overview of key EMVCo deliverables which have been plotted over the short, medium and long term, in the context of external industry standardisation efforts in the mobile payments arena and natural market developments. Throughout the process of working towards the creation of a global interoperable contactless proximity payments infrastructure for EMV transactions, EMVCo will continue to solicit feedback on its role from the payments industry, in order that it remains relevant to, and representative of, the sector. The position of EMVCo, as outlined in this White Paper, has been agreed by the three payment system members of EMVCo - JCB Co. Ltd, MasterCard Worldwide and Visa International. It has also been agreed by the EMVCo Board of Advisors which is populated by representatives of the global payments community. EMVCo’s position relative to mobile payments expressed within this White Paper has therefore received significant acceptance from the payments industry. Page 2 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 2 Mobile Payments Overview 2.1 Market Background The increasing rate of convergence between the mobile telecommunications and payments industries has led mobile payments to become a rapidly growing industry sector in recent years. Forecasts by Juniper Research 1 estimate that mobile payments are set to rise from $155 million in 2005 to $10 billion total revenue by 2010, thanks to a significant increase in mobile payment schemes and consumer demand during that time frame. All actors within the value chain are set to benefit from the wide-scale deployment of mobile payments: the financial community, merchants, network operators, technology providers and consumers. These benefits are set to increase as mobile payment programmes evolve beyond the medium term reality of mass market mobile proximity payments, to incorporate authentication and mobile remote payment functionality in the longer term. The business case for the wide- scale deployment of mobile payment schemes as a priority could not be clearer. There is, however, a lack of a common industry approach to standardisation and this is acting as a key barrier, preventing mobile payments from becoming available to the masses at present. That is not to say that the industry is not taking an active interest. Indeed in recent years, many technical industry bodies have initiated key work items necessary to enable a mobile payments infrastructure, some of which have already been brought to a successful conclusion: • The Open Mobile Alliance is facilitating the transmission of card and application management commands using device management concepts which have already been standardised • Since inception, GlobalPlatform Specifications have taken into account the post-issuance card and application management capability necessary for Over-The-Air (OTA) provisioning • The Near Field Communication (NFC) IP1 Specification has gained the approval of the European Association for Standardizing Information and Communication Systems (ECMA) and the International Organization for Standardization (ISO) • GSM Association (GSMA) is facilitating a standard connection between SIM cards and NFC chip. 1 (Mobile Commerce Strategies: Ticketing, Retail, Payment and Security 2005-2010 (second edition) - Alan Goode, 01-2006). October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 3
EMV Mobile Contactless Payment White Paper Version 1.0 • The European Telecommunications Standards Institute (ETSI) has made the SIM OTA Specifications available to facilitate confidential loading of applications. The organisation also intends to standardise the interface between the SIM and the contactless modem • The Mobile Payments Forum (MPF) has developed an ecosystem document – Mobile Proximity Payment Issues and Recommendations, October 2006. EMVCo has also been active on the standardisation front. Existing work towards the delivery of contactless payment specifications and associated common Type Approval process for cards and terminals has recently had its focus extended to consider the issues associated with delivering contactless proximity payment applications via a mobile handset. EMVCo is breaking new ground with this initiative, since it is the first time EMVCo has looked at enabling payment devices beyond the card form factor. The delivery of contactless proximity payment specifications has already commenced with MasterCard assigning its Contactless Communication Protocol, Level 1, to EMVCo in Q1 07. The move signals progress towards a common platform for contactless proximity payment transactions amongst the three key payment system members of EMVCo: JCB Co. Ltd., MasterCard Worldwide and Visa International. Subsequently, EMVCo published the Entry Point specification, which allows a single terminal to process contactless payments from cards or tokens regardless of whether they support a JCB, MasterCard or Visa chip based contactless proximity payment application. So it is clear that a substantial level of standardisation activity is happening in the marketplace. It is important, however, to re-emphasise the key issue: there is no central controlling entity with responsibility for driving forward a common approach or uniting the efforts of key groups to ensure that business, functional and security requirements are defined for an EMV mobile payment infrastructure and to align the work efforts of technical bodies. The impact of a fragmented approach to standardisation can already be seen in a number of mobile payment services and market trials which have, to date, been launched in Asia, the US and to a lesser extent, Europe. These programmes, which are domestic and proprietary in nature, have uneven characteristics in some regional markets e.g. Japan and the US. They bear all of the traditional limitations associated with proprietary solutions – lack of competition among vendors, interoperability issues, cost implications etc – and the operators behind many of these schemes have yet to address the issues raised when determining business models and trust relationships for multi-operator programmes. With the emergence of new players in the marketplace, the demand for standardisation is real and growing. It is the view of the EMVCo Board of Advisors, which represents the global payments community, and the payment system members of EMVCo, that EMVCo has a responsibility to assume the central role in defining the requirements for an EMV mobile contactless payments infrastructure and consolidating industry standardisation efforts to create this platform. Page 4 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 2.2 Mobile Proximity Payments There are a number of factors driving the business case for mobile proximity payments: the ubiquity of the mobile phone, the capacity for extended functionality of the handset beyond telephone calls/short messaging and perhaps most significantly, the rapid and ongoing increase in the number of contactless payment deployments (card form factor) which has led to the establishment of a vast contactless acceptance infrastructure among merchants in a number of global markets which can be leveraged, in its current form, for mobile payments. Operators who have rolled out mobile contactless proximity payment scheme trials to date have clearly benefited from the ability to leverage the contactless merchant infrastructure that already exists in many regions, thanks to the success of contactless proximity payment deployments which utilise a variety of form factors, including cards, key fobs and wristbands. The very fact that the existing contactless merchant infrastructure can be leveraged for contactless proximity payment applications on different form factors, including mobile phone handsets, results in a huge reduction in infrastructure investment at all stages of the value chain and will expedite the roll out of mobile handset contactless proximity payments to the mass market. Another opportunity which can be leveraged by mobile contactless proximity payment programmes is the potential of mobile handsets to provide an enhanced cardholder experience. Via the display screen and keypad, which are common features on all handsets, the user can easily and conveniently launch a payment application or validate their participation in a payment transaction by entering a code or password – a concept familiar to most consumers who use a PIN to access their payment card services. In the longer term, providers of mobile contactless proximity payment services will be able to offer additional mobile services (non-payment) to customers, subsequently enhancing their overall value proposition to the consumer. Cardholders around the world are accustomed to having multiple payment and non-payment (e.g. ID and loyalty) cards in their wallets. Once an interoperable infrastructure is in place, mobile phone handsets will be enabled to incorporate contactless proximity applications from multiple brands and issuers across a range of industry sectors, such as transit, retail and payment, allowing the user to access a variety of mobile services through their handset. In order to make mobile payments a viable long term business proposition, this level of cross sector interoperability is not just highly desirable, but absolutely necessary. So what path does the industry need to take to ensure that mobile contactless proximity payments become a reality in the wider marketplace? There are a number of core technical and business challenges to be overcome in the standardisation process. At a high level, these include: • Personalisation, contactless proximity payment application provisioning and lifecycle issues associated with a non-card form factor • The definition, development and implementation of appropriate security controls and a robust Type Approval framework and associated process for mobile devices supporting contactless proximity payments to ensure global interoperability October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 5
EMV Mobile Contactless Payment White Paper Version 1.0 • The need to address the business models and trust relationships for multi- operator mobile payment scenarios. EMVCo’s positioning with regard to tackling these issues, in close collaboration with other industry partners, is clearly defined later in this document. It should be made clear, however, that as a technical specifications body, EMVCo will aim to focus exclusively on addressing technical and ecosystem issues arising from standardisation and will not aim to resolve issues associated with business models and trust relationships. EMVCo’s role in the industry debate surrounding these latter issues will be to simply advise on the technical challenges of business models proposed by the industry. 2.3 Mobile Remote Payments The future relevance and expansion of EMV in the remote payments sector will be determined by the capability of network providers to offer the necessary EMV authentication data support to enable consumers to use their mobile phone handsets to securely verify their identity and approve payment transactions. The issue of control must also be addressed by the appropriate actors in the remote payment value chain, through the definition of appropriate business relationships and trust models. 2.4 EMVCo Prioritisation: Mobile Contactless Proximity Payments versus Mobile Remote Payments Feedback from the EMVCo Board of Advisors suggests that currently the demand for an open architecture to enable the wide-scale deployment of mobile contactless proximity payments is far greater than the requirement for a mobile remote payments platform. In line with this, EMVCo’s initial priority, with regard to mobile payments standardisation, will be to focus on the infrastructure and ecosystem issues associated with enabling contactless proximity payments via mobile phone handsets. In addition to satisfying industry requirements, this also aligns well with the work already being carried out within EMVCo towards the development of contactless payment specifications and associated common Type Approval process for cards and terminals. From a wider mobile payments perspective, the EMVCo Board of Advisors and Executive Committee have agreed that facilitating authentication applications, including how an EMV application in a mobile phone might be used to authenticate a cardholder in a face-to-face environment or another channel, and remote payments, where the phone is used to buy goods and services from an e- commerce merchant, are secondary priorities for the organisation. Page 6 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 While this paper is therefore not aimed at addressing EMVCo’s role in authentication using a mobile device or mobile remote payments, the EMVCo Executive Committee does recognise that much of the infrastructure needed to support an EMV application performing a contactless proximity payment in a mobile phone would also be relevant and reusable for mobile authentication and remote payment services. As such, EMVCo will continue to monitor industry requirements and feedback regarding its role in mobile authentication and remote payment services and reflect the counsel of its Advisors in its strategic planning for the future. October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 7
EMV Mobile Contactless Payment White Paper Version 1.0 Page 8 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 3 The Role of EMVCo in Standardising Mobile Payments The EMV Integrated Circuit Card Specifications for Payment Systems have become the de facto interoperable payment standards for contact chip cards and terminals world-wide. EMVCo’s traditional role in the development of these specifications has been to undertake the typical duties associated with a technical standards body. The organisation’s key responsibility has been to manage, maintain and enhance the EMV Specifications to ensure interoperability and acceptance on a global basis. EMVCo is also responsible for type approval processes for terminal compliance testing and Common Core Definitions (CCD) and Common Payment Application (CPA) card compliance testing. EMVCo acknowledges that there is inherent value in maintaining this traditional ‘technical development’ role relative to its work in the mobile payments arena. The organisation also recognises that due to the relatively early developmental stage of mobile payments technology, the lack of precedent for an advanced proximity payments infrastructure and the change in form factor from card to mobile phone handset, there is additionally a new role for the organisation to fulfil. The further requirement is for EMVCo to work with the industry at large to co- ordinate mobile payment standardisation efforts in order to ‘bridge the gap’ between EMV contact and contactless payment specifications, the standardisation work being undertaken by other industry groups and general market forces. This can only be achieved if EMVCo fully engages with the industry, particularly those standardisation and technical bodies that have already made significant progress towards a mobile contactless proximity payments infrastructure, in order to obtain comprehensive support for the definition and agreement of a common collaborative approach. As EMVCo progresses in this role, it is a logical conclusion that the organisation will become recognised as the common voice of the industry on mobile proximity payment standardisation efforts. The position of EMVCo, as outlined in this White Paper, has been agreed by the three payment system members of EMVCo - JCB Co. Ltd, MasterCard Worldwide and Visa International. It has also been agreed by the EMVCo Board of Advisors which is populated by representatives of the global payments community. EMVCo’s position relative to mobile payments expressed within this White Paper has therefore received significant acceptance from the payments industry. October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 9
EMV Mobile Contactless Payment White Paper Version 1.0 3.1 Progress to Date To spearhead EMVCo’s focus on mobile payments, an EMVCo Mobile Task Force was established in Q3 2006 (which became the Mobile Payment Working Group in 2Q 2007). It was initially briefed to define the business goals for EMV Specifications in the mobile payments space. Following early consultation with the EMVCo Board of Advisors and the EMVCo Executive Committee, the Mobile Payment Working Group determined that EMVCo’s immediate priority is to focus on enabling contactless proximity payments via a mobile phone by addressing the associated infrastructure and ecosystem issues. It was mutually agreed by all parties that EMVCo’s involvement in the development of the wider mobile payments landscape, specifically regarding a standardised authentication application and the implementation of EMV applications within a remote payments infrastructure, is a secondary priority at the current time. In light of the mobile contactless proximity payments priority determined for EMVCo, it became apparent that the work of the Mobile Payment Working Group is actually an adjunct to the work of the EMVCo Contactless Working Group, established in Q1 06. The aim of the Contactless Working Group is to develop contactless payment specifications and associated common Type Approval process for cards and terminals. The Mobile Payment Working Group, therefore, will be able to leverage the work of the Contactless Working Group to ensure interoperability between a single physical contactless proximity payment terminal and different payment systems’ contactless proximity payment cards, form factors and payment devices adopting a mobile phone form factor. Business goals for mobile contactless proximity payments were soon defined and agreed by the EMVCo Board of Advisors, and synchronisation between the work of the Mobile Payment Working Group and the Contactless Working Group was established. The next undertaking for the Mobile Payment Working Group was to clearly identify the specific technical infrastructure and ecosystem issues that EMVCo would have to address in its dual role as technical standards body and industry co-ordinator. A thorough analysis of external mobile standardisation efforts undertaken in the recent past and currently ongoing was conducted. This allowed EMVCo to identify gaps in the standardisation process, from both a technical and industry- wide perspective, which it could successfully address in the medium to long term in order to consolidate the sector’s approach to the development of a mobile contactless proximity payments infrastructure. The results of this process can be seen in the deliverables outlined below, which are categorised according to their association with EMVCo’s traditional role as a technical standards body, or its new role as an industry co-ordinator. Page 10 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 3.2 EMVCo Future Deliverables 3.2.1 EMVCo: Traditional Role - ‘Technical Development’ 1. The definition of chip data security requirements EMVCo will define security requirements for the secure elements in mobile devices and the interfaces between the secure elements and user interface applications, the contactless modem and cellular modem. A key consideration will be global interoperability. 2. The definition of a Type Approval framework and associated process Payment applications in a mobile device involve a number of different elements which may be provided by different parties. These may include the mobile device itself, the contactless communications modem, a secure element hosting the payment application, the payment application and a user interface application running on the mobile device. The combinatorial nature of these elements presents a problem for Type Approvals, particularly as a financial institution may have limited influence on the particular mobile device and secure element a user has, which might be supplied by a mobile network operator. There is a need to address this issue in a manner which does not stifle the production of mobile devices capable of supporting payment applications. Specific challenges to be addressed include determining an appropriate method for testing individual mobile phone handsets, secure elements and lifecycle issues. 3. The definition of global interoperability from a technical perspective Technically, EMVCo must define interoperability requirements to allow the mobile contactless proximity payment platform to work across payment systems brands, issuers and geographical borders. To achieve this output, EMVCo will be able to leverage its work on a common contactless level 1 specification and the associated type approval process. In addition, differing cellular network technologies (GSM / CDMA), mobile platforms (J2ME / BREW / Symbian / Windows) and messaging technologies (SMS / MMS / GPRS / HSDPA) may also require consideration. 4. The identification of user interface issues EMVCo will identify user interface issues which may arise when using a proximity payment application via a mobile handset. A key factor in this is EMVCo’s vision that mobile devices will be capable of containing multiple payment applications and products from multiple issuers and brands. This adds a new dimension in complexity over and above that found on the traditional card form factor. At the user interface level this can impact on how a consumer selects which payment product they wish to use when making a purchase (in the same way they would select the appropriate payment card from their wallet) and gives rise to the question of whether a default payment application should be determined. October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 11
EMV Mobile Contactless Payment White Paper Version 1.0 In addition, the very functionality that makes the mobile device so attractive for payment also raises a variety of security and risk concerns. Consideration must, therefore, be given to the trustworthiness of the overall mobile device and steps taken to ensure that it is impervious to denial of service attacks, Trojan horses and viruses. 3.2.2 EMVCo: Industry Co-ordination Role 5. To standardise mobile contactless proximity payment application requirements Recognising that important standardisation work has already been undertaken within the industry, EMVCo intends to bridge the gap between the Near Field Communication (NFC) technical standards, the Mobile Payment Forum (MPF) ecosystem document 2 and the future EMV contactless proximity payment specifications when determining the need for specification requirements related to mobile contactless proximity payment applications. These requirements will include a personalisation infrastructure for payment applications and approval processes for mobile devices supporting contactless proximity payment. 6. To fill in ‘gaps’ which exist in the standardisation of Over-The-Air (OTA) card and application management (both secure element and user interface) Data personalisation on a mobile device is a key element in the deployment of mobile contactless proximity payments. While standards exist to address this process, such as the GlobalPlatform Specifications and the SIM OTA Specifications from the European Telecommunications Standards Institute (ETSI), there are some ‘gaps’ and issues which arise from the divergent implementation of standards. EMVCo will aim to standardise OTA personalisation requirements for payment applications, working alongside other industry associations that are making efforts to address issues associated with downloading user interface applications. EMVCo will additionally examine other approaches which could be used to manage payment applications on mobile handsets. 7. To shape the development of and refer to chip interface requirements EMVCo will help to develop interface requirements for chip in phone, chip to antennae and chip to user interface (keyboard and display), primarily by engaging with other standards organisations where necessary, to ensure that the infrastructure is in place to enable the chip to communicate with the physical components of the phone handset. EMVCo will not become involved in the debate between the payments industry and actors in the mobile value chain regarding issues of control and management. 2 Mobile Proximity Payment Issues and Recommendations – Mobile Payment Forum, October 2006 Page 12 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 8. To actively engage relevant standards organisations on behalf of EMVCo involvement in the standardisation for mobile proximity payment As already illustrated, there is a very high level of standardisation activity being undertaken within the mobile industry that could have an impact on mobile payment. In an effort to consolidate work efforts which are relevant to the creation of a global, scaleable infrastructure for mobile contactless proximity payments, EMVCo will actively engage with organisations including the European Telecommunications Standards Institute (ETSI), GlobalPlatform, the Mobey Forum, the Mobile Payment Forum (MPF), the Near Field Communication (NFC) Forum, GSM Association (GSMA) and the Open Mobile Alliance (OMA). This engagement will begin in the short term and the aim will be to formalise collaborative relationships between industry bodies and align work efforts so that the industry is working together to build a ‘multi-brand’ infrastructure which presents a viable business proposition for mobile EMV contactless proximity payments. 9. To speak with a common voice to operators and banks about mobile payment opportunities, challenges, and the need for standardisation EMVCo views this output as an inevitable outcome of the organisation’s industry co-ordination efforts outlined above. The process of EMVCo working alongside other relevant industry standardisation bodies and proactively ‘filling the gaps’, on both a technical and strategic level, will result in EMVCo being viewed as the common voice of the industry on mobile standardisation with ultimate responsibility for consolidation and driving progress towards an interoperable global EMV mobile contactless proximity payments infrastructure. 3.3 EMVCo Mobile Payment Working Group Road Map: Charting Deliverables In order to identify EMVCo’s key work items and specific deliverables, and to provide a timeframe for these work items to be progressed, a ‘Road Map’ was developed by the Mobile Payment Working Group in Q1 07 intending to make it publicly available to the industry, ensuring transparency in EMVCo’s overall approach to developing mobile contactless proximity payments (Appendix 1). To benchmark future progress against the present status of the industry, the Road Map begins by providing a snapshot of the mobile payments sector as it is today, documenting the technical achievements of EMVCo and other industry bodies in the recent past and highlighting general market trends. It continues by charting the short, medium and long term deliverables for EMVCo in terms of desired output from the Mobile Payment Working Group and the Contactless Working Group, again in alignment with ongoing standardisation efforts by other industry bodies and market developments. October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 13
EMV Mobile Contactless Payment White Paper Version 1.0 All key efforts to be undertaken by EMVCo are acknowledged in the Road Map. A summary of key deliverables charted within the document has also been provided below: Short Term (present day – 4Q2007) Aside from the publication of the Road Map and this White Paper outlining EMVCo’s role in the standardisation of mobile payments, a further key deliverable to be completed by the Mobile Payment Working Group in 2007 is the development of an ecosystem document which identifies the architectural lifecycle issues related to EMV payment on mobile devices. This is essentially an EMVCo technical positioning paper and it will take into account the Mobile Payment Forum’s ecosystem document 3 which investigates issues surrounding the deployment of proximity payments on a mobile device and provides recommendations, where appropriate, on how the issues should be addressed. The Mobile Payment Working Group will also initiate discussions with external industry standardisation bodies in 2007 to secure technology linkages in support of an EMV mobile contactless proximity payment infrastructure. The European Telecommunications Standards Industry (ETSI), GlobalPlatform and the Near Field Communication (NFC) Forum are all key targets initially. Within the Type Approval Working Group (TAWG), the testing methodology for the Contactless Communications Protocol Level 1 v2.0 will be defined by the end of the year and implemented in 2008. Additionally, the Contactless Working Group has published an ‘Entry Point’ specification (previously described in Section 2.1). Medium Term (2008-2009) During this period, the Mobile Payment Working Group will initiate a range of activities that will address issues identified in the Mobile Payment Issues document. Research will be conducted into ‘EMV: Beyond the Card Form Factor’. This will feed into a vision statement which outlines the change in form factor of cardholder payment devices and its impact on EMVCo. Research will also be started to address the various issues relating to the “issuance” and “management” of payment application(s) on the mobile platform. Particularly, guidelines on the use of Over-The-Air (OTA) and Out-of-band communications will be developed. The issues associated with multiple brands and multiple applications sharing the mobile payment platform along with user interface functions will be researched and addressed within the context of EMVCo. 3 Mobile Proximity Payment Issues and Recommendations – Mobile Payment Forum, October 2006 Page 14 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 Finally, the Mobile Payment Working Group will start the development of a rational Type Approval framework and process to ensure the secure management of payment applications and credentials on a mobile platform. Ideally, this would leverage other type approval and security approval processes that already exist within EMVCo. In addition, the Contactless Working Group will develop a Type Approval process for the Entry Point application. Long Term (2010+) EMVCo’s vision for the long term is that the mobile proximity payments infrastructure and payment application will be in place enabling high levels of deployment. The Contactless Working Group will undertake the bulk of their technical work during this time period, resulting in the publication of contactless payment specifications, which will include requirements for payment devices adopting a mobile phone form factor, and the associated Type Approval process. EMVCo will manage the interoperability issues associated with this infrastructure and will aim to ease implementation of EMV mobile proximity payments in much the same way as EMVCo is now responsible for easing migration to EMV contact chip technology. In line with EMVCo’s obligation to remain relevant to, and representative of, the global payments industry, at every step of the way towards mobile payments standardisation the EMVCo Executive Committee will continue to solicit the views of the payments industry via the EMVCo Advisors. This will ensure that EMVCo’s continued progress and evolving priorities are directly aligned to industry requirements. October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 15
EMV Mobile Contactless Payment White Paper Version 1.0 Page 16 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007
EMV Mobile Contactless Payment White Paper Version 1.0 APPENDIX 1 EMVCo Mobile Payment Working Group – High-level Roadmap* *The pace of delivery by EMVCo will be dependent upon the speed of market development and rate of adoption of contactless and mobile payment technology Short Term Medium Term Long Term Recent past - end of 2007 2008 –2009 2010 – NFC Forum NFC Forum NFC Forum NFC IP1 ISO/ECMA NFC Forum Digital Protocol Specification Testing/compliance ETSI ETSI Standards refinement SIM OTA Complete SIM - contactless interface SIM to Contactless I/F Requirement GP - ETSI Industry GP Complete Confidential Loading Specification Standards Card and multi application management OMA Secure Element Management Object Software Component Management Object OMTP/GP Handset as secured device CLWG: Contactless Communication CLWG: CCP Level 1 v2.0 Testing TAWG: Entry Point Type Approval Interoperability management Protocol Level 1 CLWG: Entry Point Contactless MPWG: (1) Beyond smart cards/other form Optimising/simplifying CLWG: Business requirements Specifications/testing factor implementation MPWG – CLWG synchronisation MPWG: Mobile Payment Issues Document – MPWG: (2) Out-of-band/OTA guidelines Best practices Technical position paper MPWG: (3) Multiple application/brands, user Enhancements – need to influence interface functions and requirements CLWG: EMV Contactless – technical preference MPWG: (4) Test/approval requirements and Application (card and terminal) MPWG: EMVCo position paper process TAWG: EMV Contactless EMV MPWG: High-level roadmap NFC Forum – CCP Level 1 Compliance Application Type Approval MPWG: Lobby ETSI to incorporate payment GP/ETSI – Confidential Applet Specification industry’s requirements on SIM-CL interface & OTA Compliance MPWG: Formalise linkage Secure Element compliance defined with GP on OTA confidential loading specification with NFC Forum on contactless specification and test MPF “Ecosystem” paper Development of vendor solutions (application Inter-industry cooperative models Migration of provisioning/perso Contactless payment programmes expand provisioning, security, mobile applications) Evolution of other mobile proximity applications systems to open, multi application, to additional countries and participants Commercialisation of needed technical Payment and transit industries continue to drive multi issuer, multi brand systems Mobile payment trials (mostly technical components and handsets acceptance and infrastructure expansion phase) Further mobile payment trials (beginning to test Payment and transit to drive large Market Contactless mobile payment business model, remote payments, person-to- scale/business model tests Development programmes person payments) Trials of remote payment applications Non contactless mobile payment (authentication, top-up, person-to-person, m- programmes commerce, m-banking) Development of vendor solutions and More components selections value added services October 2007 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. Page 17
EMV Mobile Contactless Payment White Paper Version 1.0 <<< END OF THE DOCUMENT >>> Page 18 © 2007 EMVCo, LLC (“EMVCo”). All rights reserved. October 2007