Introduction
The radio frequency identification (RFID) reading technology enables the transfer, by radio, of information from electronic circuit to a reader, opened up some interesting possibilities in the area of e-payment (Domdouzis, Kumar, & Anumba, 2007). Today, the near field communication technology (NFC) opens up even more horizons, because it can be used to set up communications between different electronic devices (Eckert, 2005).
Contactless cards, telephones with NFC capacities, RFID tag have been developed in industry and the services (Ben-david, Fosso Wamba, & Lefebvre, 2006). They are similar, but, some major differences explain the specificity of these three applications and the corresponding markets. The label, or marker, is a small size electronic element that transmits, on request, its numerical identification to a reader.
The RFID identification makes it possible to store and recover data at short distance by using these miniature markers or labels (see Figure 1) associated to the articles to identify. The cost of the label is only few centimes. An RFID system is made of labels, readers connected to a fixed network, adapted software (collection of information, integration, confidentiality...), adapted services, and management tools that allow the identification of the products through packing.
Figure 1. Some examples of RFI label
Contactless smartcards (see Figure 2) contain a microprocessor that can communicate under a short distance with a reader similar to those of RFID technology (Khu-smith & Mitchell, 2002).
The originality of NFC is the fact that they were conceived for the protected bilateral transmission with other systems. NFC respects the standarda ISO-14443 (Bashan, 2003) and thus, can be used as a contactless card. It can be used as a contactless terminal communicating with a contactless card or another NFC phone (ISO-18092). Services available through NFC are very limited today, but many experiments are in progress and electronic ticketing experiences (subways and bus) started in Japanb.
There are two types of NFC phones:
• The mono chip composed of only one chip for GSM services (called the SIM) and NFC services. In that case, an NFC service is dependent of the phone operator.
• The dual chip shows a clear separation of the two functions within two different chips. That completely isolates the operator and allows independent NFC services...
Figure 2. Example ofa contactless bank card
We define the technology standards, the main platforms and actors in the background section. The main trust develops some contactless payment applications, and analyses the benefits and constraints of the different solutions. The future trends section concerns the research and technology evolution in contactless payment applications.
background
The major interest of contactless cards is to facilitate access control, micropayment... Another interest refers to the usury of card; it is insensible to contact oxidation. We detail briefly the international standards that are involved in RFID and NFC.
Standards ISO-14443
This standard is the international one for contactless smart-cards operating at 13.56 MHz in close proximity of a reader antenna. This ISO norm sets communication standards and transmission protocols between a card and a reader to create interoperability for contactless smartcard products. Two main communication protocols are supported under the ISO-14443 standard: Type A and B. Other protocols were only formalized: Type C (Sony/Japan), Type D (OTI/Israel), Type E (Cubic/USA), Type F (Legic/Switzerland).
This norm is divided in four parts and treats Type A and Type B cards:
• ISO-14443-1 defines the size and physical characteristics of the antenna and the microchip;
• ISO-14443-2 defines the characteristics of the fields to be provided for power and bi-directional communication between coupling devices and cards;
• ISO-14443-3 defines the initialization phase of the communication and anticollision protocols;
• ISO-14443-4 specifies the transmission protocol.
ISO-14443 uses different terms to name its components:
• PCD: proximity coupling device (or reader);
• PICC: proximity integrated circuit card (or contactless card).
ISO-18092
NFC is a short-range (10 to 20 centimeters) wireless communication technology that enables the exchange of data between devices over a short distance. Its primal goal is the mobile phones usage. This open platform technology is standardized in ISO-18092 norm NFC Interface protocol-1c. In NFC technology, two communication modes exist: passive and active communication modes of NFC interface protocol to realize a communication network using NFC devices for networked products and also for consumer equipments (see Figure 3).
ISO-21481
The ISO-21481 standard (NFC interface protocol-2d) is derived from Ecma-356 (interconnection) standard. It specifies the selection mechanism of communication mode in order to not disturb communication between devices using ISO- 18092, ISO-14443 (contacless interface - proximity), and ISO-15693 (contacless interface - vicinity).
Figure 3. The two NFC communication modes
Application platforms and Major Actors
There are major actors in the field of contactless applications; we distinguish two important platforms using the contact-less technology: Mifare and FeliCa. This chapter does not focus on more details about these platforms technology, but is more about their applications.
Current actors in payment applications, namely MasterCard and Visa, stay alert, and intend to play a major role in future payment applications. They have already joined the movement and launch many developments over contactless payments. They begin to agree to a common communications protocol for contactless payment devices. This is based on the MasterCard PayPass™ protocol. MasterCard made the first step with a contactless credit card (see Figure 4) (Olsen, 2007).
The Visa PayWave technology is rather largely deployed within many European countries. They both intended the American market to future deployments (Turner, 2006).
Visa and MasterCard technologies comply with the EMV (Europay Mastercard Visa) standard. This standard defines the interoperation between smartcards and terminals for authenticating credit and debit cards. It defines strong security measures and provides a strong authentication along the process.
Mobile specifications are still in an early stage of development. Those who want to follow the development can do it at the EMVCo Web sitee. Contactless cards that define the EMV standard over contactless communication does not differ so much with contact cards. The differences will be in the usages and applications.
Figure 4. Payment with a contactless card
main focus of the chapter
The main focus of the chapter is an analysis of the benefits and limitations ofRFID authentication for electronic payment (Tajima, 2007). This part deals with the particular constraints of banking (computation time, security...) for this kind of authentication process (Chen & Adams, 2004). The use of radio frequency and the small distance allows some security weakness that leads to security reinforcements.
contactless cards in Banking Applications
We have seen that MasterCard and Visa have an agreement to share a common transmission protocol and experimentation for the contactless payments by radio frequency in the points of sale.
Contactless payments, as conceived in the programs MasterCard PayPass and Visa PayWavef, make it possible for the cardholders to carry out fast payments by a simple passage of their card in front of a terminal, thus, avoiding them giving their payment card to a merchant or handling cash. Contactless payments are much more practical for the consumers and are particularly adapted in environments of purchase where the speed is essential, like fast food, the gas station, but also theaters. They also offer new appropriate payments by using a card in unusual environments of purchase, like slot-machines or tolls. To make a payment, a user presents his/her card near the front of a terminal (a beep is emitted by the terminal). A request for an online authorization is sent. The payment is carried out. There exist two types of PayPass cards:
• Contactless with a magnetic stripe ;
• Contactless with a chip that is EMV compliant (dual-use card).
For the European market, Visa is planning on using RFID-enabled dual-use debit cards, based on its own Visa Contactless payment technology. It aims, in particular, at European countries already using EMV compliant cards. But, Visa is also understood to be in talks with mobile manufacturers to use NFC technology that will enable a phone to be used instead of a card.
For the US market, the contactless PayPass is not EMV compliant, so, the target is to limit the authorization requests (see Figure 5). How does it work?
• For a small amount (as for illustration <$30), an authorization of $30 is requested, then debited of the small amounts carried out;
• The payments lower than the authorization threshold, decrement of the preceding payments, are not online transaction object;
Figure 5. Delayed clearing and settlement
• As soon as the cumulated ceiling of preauthorization is reached, a new preauthorization is required.
When the amount exceeds $30, for example, an authorization request is always sent with the following exchange. The security of the transaction is guaranteed, first, by the use of some information stored in the card such as the card number, and second, through the secure transfer with the terminal by using the RSA algorithm: For the EMV countries, cards have contactless capability and EMV compliance. The transaction has another scheme.
NFC
NFC can be used as a terminal or a simple contactless card (Remedios, Sousa, Barata, & Osorio, 2006). Before NFC, contactless applications, like payment or control access, were only implemented on cards. These developments were limited because the card has no battery power supply. Mobile phone is a possible solution in face of this problem because it is auto-provided with energy. Lots of new applications can be charged on an NFC phone, but not on a contactless card.
In opposition to credit card, mobile phone memory is not safe enough for storing secret data and critical applications. That is why these applications can be embedded on a separate chip. The security and confidentiality of data are ensured by encryption, which is handled by the chip itself.
The chip can be located in several places (Mallett, Millar, & Beane, 2006):
• Into the phone: The drawback is that the chip is not transferable; it is integrated in the phone. This system is named dual chip and has many advantages: telecom operators independence, security. This solution has been chosen by the ITEA research project called SmartTouch (SmartTouch, 2005) whose objective is to study and promote the use of NFC mobile phones for different applications including payment ; • In the SIM card: The problem of this solution is that there is no standardization yet, and the telecom operator is responsible for all applications on its SIM card, thus responsible for the NFC part.
NFC mobile can be used as a terminal with a contactless card or another phone (ISO-18092), or it can be used as a contactless card (ISO-14443). Mobile screen, key pad, and connectivity features can be used to create more and more user friendly applications.
NFC phone as a contactless credit card
The NFC mobile phone can be used as a contactless credit card. In this case, NFC technology does not bring anything more than a contactless card (except for dematerialization of card, which is more useful).
An example of these applications is the proximity payment. The merchant, who has an NFC terminal, enters the amount of the transaction. The mobile owner then puts the phone near the terminal and information about his/her transaction are displayed on his/her mobile screen. If the owner agrees the transaction, he/she validates and enters his/her PIN code. He/she puts the phone on the terminal to send all information (number bank account.). He/she finally can take his/her ticket, since the transaction is closed.
In Japan, this payment solution is actually used. Lots of taxis adopted NFC payment system in their vehicle, which secures transactions for taxi and users do not need any cash money8. Some gas stations are already equipped for the NFC payments with mobile phone. Lots of research programs are based on NFC technology (Jaring, Tormanen, Siira, & Matinmikko, 2007).
future trends
Future trends stress the different research topics that should participate to solve some still existing problems in contact-less payment (Chen & Adams, 2004). We can consider that there are two main actors involved in the NFC payment with different objectives and limits.
The Mobile phone operators
An entity, either the mobile phone operator or a third-party vendor, sells the mobile phone and produces the correct information required to personalize the SIM. The responsibility of the personalization of the SIM is given to the mobile phone operator. The mobile phone operator prefers using a second chip than a single one because there is no exchange with the environment of the phone without it permits it (and more, it bills it). In that case, if a banking actor tries to modify the parameter of the SIM to implement the secrecy of the bank to allow the payment, it can do it only with the agreement of the mobile phone operator, who is the owner of the secrecy of the SIM.
That relation between the mobile phone operator and the bank can only be nowadays, with a one-to-one agreement that is incompatible with a generalization of that solution. Today, to start experimentations, the solution is to externalize the personalization to a specialized third partner well known by the mobile phone operators and by the banks. For each cardholder, the third party will receive the secret keys and software from the cardholder's mobile phone operator and the cardholder's bank, and will personalize the SIM with that information (Pasquet, Reynaud, & Rosenberger, 2008). That solution is tested by the three mobile phone operators and by five major banks in France in the Pegasus project on two French cities (Strasbourg and Caen).
In the future, it is necessary to modify the SIM architecture and to create some virtual shelters inside the SIM, protected by keys communicated by the SIM operator to the bank to allow the bank a remote personalization. The global platform specifications (new standard for smartcards infrastructure) are on the way to allow that secure remote personalization, but it will take more or less 2 or 3 yearsh.
A second solution is possible with an NFC mobile phone; it is to not deal with a bank, and to pay a service by the costumer's mobile phone bill. These payment types, already used to buy bell rings for the customer phone, can also be used for NFC payments.
The Banks
Ten years ago, some banks tried to develop, with mobile phone manufacturers, some mobile phone with a special slot to insert banking cardsi. They have given up that solution; very secured but expensive.
Another possibility is the use of NFC dual chip mobile phone where the SIM is completely separated from the NFC chip. The SIM is bought by the customer and installed in the mobile phone (Remedios et al., 2006).
The phone manufacturers are interested in that solution but the question is: which actors will commercialize the mobile phone if the operators disagree with the dual chip solution? Experimentations are in progress in few countries in the world (Finland, France.), but it will be difficult to convince the whole mobile phone operators to share the income of such solution.
Except that problem, the banks have just to personalize the NFC mobile phone. But, the phone must be in front of the antenna of the personalization equipment. This leads to two solutions: the banks can give the NFC mobile phone (within the partnership with a mobile phone operator and a manufacturer) to their clients (which model, which color. ?), or the banks develop some personalization equipments and install them to personalize the NFC mobile phone of their clients. The two solutions impose some high investments for the banks.
conclusion
Which technology is the best regarding traceability and security (identification and authentication)? As regard to the identification, the RFID, the smartcard, and the NFC, after the barcode, are today in competition. All actors develop their technology, until the moment when the aspect of universality or cost price is called into question by new considerations.
It appears that each technology is worth only according to the markets that are open for him/her, and for which industrial series allow a good profitability of use of the associated products. The convergence of the new networks will bring, by association with other technologies (cryptology, reduction in price and volume of the memories, particular modulations...), elements suitable to stimulate this dynamics.
key terms
Contactless Cards: The contactless smartcards contain a microprocessor that can communicate under a short distance with a reader similar to those of RFID technology
EMV: Europay, MasterCard and Visa specifications. This is a standard for interoperation between smartcards and point of sale terminals and also automated teller machine.
Felica: That platform owned by Sony Corporation, originally proposed as ISO-14443 type C but refused, is now compliant with the ISO-18092.
IC: Integrated circuit Miniaturized electronic circuit also known as microcircuit, chip, or microchip.
Myfare: That platform owned by NXP semiconductors, is compliant with the ISO-14443 type A standard.
NFC: Near field communication A short-range high frequency wireless communication technology, an extension of the ISO-14443 proximity-card standard for mobile phones.
RFID: Radio frequency identification Automatic identification method relying on storing and retrieving data using devices called RFID tags.
Smartcards: Card equipped with a chip or integrated circuit card (ICC). It defines any pocket-sized card with embedded integrated circuits which can process information.
Tags: Miniature markers or labels emitting a unique number or other information.