Creating a secure, stable and scalable mobile payments ecosystem
The establishment of the mobile services ecosystem is rapidly moving forward. The number of partners involved in delivering and managing the applications today - be it a game, music or communication service - is still rather limited. While this contains risk, it also restricts the capabilities of a mobile device and potential business opportunities.
As mobile payment (m-payment) applications come to market, security becomes much more important. To optimise the benefits of m-payment applications, these need to be linked to other services, such as loyalty, couponing and transport ticketing. All these applications must successfully and securely reside on the same mobile handset, without interference or corruption, and all the partners must be able to access and support the lifecycle of their individual mobile applications. This could include voluntary updates, such as service privileges, as well as involuntary, such as suspending an m-payment service if a mobile handset is lost or stolen.
Such ecosystem advances need to be supported by a stable, secure and scalable infrastructure. The European Payments Council (), working together with all stakeholders active in the m-payments ecosystem, is willing to contribute to the development of such an infrastructure with regard to the initiation and receipt of Single Euro Payments Area () payments by mobile. The intention is to help establish a framework, which enables all potential payers and payees to make m-payments across the European Economic Area, and create a secure environment for the multiple stakeholders active in the field.
The will release two revised documents of interest to the community:
- The new edition of the White Paper on Mobile Payments.
- Revised Mobile Contactless Card Payments Interoperability Implementation Guidelines to be published for a three month public consultation.
The new edition of the White Paper on Mobile Payments
Following the public consultation on the white paper in early 2012, the has worked to incorporate input from 17 parties representing various stakeholders in the m-payments ecosystem. These included infrastructure manufacturers, service providers and retail organisations. The new edition of the white paper will be published shortly.
This new version of the white paper provides an enhanced overview of the infrastructure needed to support the m-payments ecosystem, including a reference to the mobile remote payment framework and the different technical infrastructures and system components needed to support both the mobile remote and contactless ecosystems.
Key to stakeholders operating within the European market, the new edition of the white paper also expands its analysis of how these new and evolving infrastructures interact and support the instruments, in particular card payments and credit transfers. The document presents a more elaborate overview of the many actors shaping the environment, and describes the convergence of markets and parties involved in the delivery and management of m-payments to ensure the secure implementation of mobile services. The acknowledges in this revised white paper that consumer acceptance and usability will be essential to the adoption of m-payments. To address this, the latest edition devotes a new section to the concept of the 'mobile wallet' and the role of this user interface to centralise payment activity. Finally, the white paper has been updated to achieve consistencywith the Mobile Contactless Card Payments Interoperability Implementation Guidelines which will be published shortly.
Mobile Contactless Card Payments Interoperability Implementation Guidelines released for a three month public consultation
The will publish a revised version of its Mobile Contactless Card Payments Interoperability Implementation Guidelines for public consultation.
The document offers a more technical overview and analysis of the mobile contactless payments landscape compared to the white paper. In addition to describing the contactless payments ecosystem today and the stakeholders involved, the guidelines provide a summary of the technology available and its deployment within the market. Within the document the promotes the use of open standards. It recognises that consumers will not want to be restricted to services depending on their selected mobile handset, mobile network service provider or geographical location. The clarity offered by the document enables industry stakeholders working within the ecosystem to ensure an adequate level of security measures .
Referencing all these elements within a central guideline is designed to help reduce m-payment solution time to market. It also provides more transparency to market participants by contributing to the clarification of the roles of key stakeholders, as well as of the position and responsibility of the in relation to other industry bodies.
In this latest version of its Mobile Contactless Card Payments Interoperability Implementation Guidelines, the further examines the secure element (SE), a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications, and their confidential and cryptographic data, in accordance with industry established rules and security requirements. The most common types of SE are: Universal Integrated Circuit Card (UICC); embedded SE; and micro secure digital (micro SD), with each SE linking to different service model(s) and addressing different business needs.
To complement the work included in the previous version of the guidelines, this latest document considers the presence of multiple SEs (of different types) in the same mobile phone, as well as advances the sections on embedded SEs and microSDs. For example, a handset manufacturer may issue a handset with an embedded SE, while the mobile network operator will provide a UICC for communication services, and a microSD slot may also be available on the device. The stakeholders involved in the ecosystem must be able to manage their secure services and technology successfully, without corruption or misunderstanding. The takes the first steps to address this issue.
Data sharing between multiple mobile contactless payments applications from the same issuer (payment service provider) is another update in the guidelines. The ability to securely and effectively share resources will be key to the success of delivering cost-effective solutions that provide real customer convenience. Sharing a mobile code between different applications is one example which illustrates the concept.
Finally this new version includes an update on the work of other industry and standard bodies, and references their deliverables to date.
Stakeholders are encouraged to provide feedback during the soon-to-be-launched three month public consultation
The development of an innovative, sustainable and efficient mobile services landscape will only be realised by encouraging all stakeholders to share their expertise, insights and framework. The calls on stakeholders to review the most recent additions to the guidelines when published for a three month public consultation.
A further updated version of the Mobile Contactless Card Payments Interoperability Implementation Guidelines, incorporating stakeholder feedback received with the upcoming consultation, is expected to be published on the Website by end 2012 or start 2013.
Dag-Inge Flatraaker is the Chair of the M-Channel Working Group.
Update with regard to the (October 2012):
On 30 March 2012, the European Union (EU) Regulation (EU) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 was published in the Official Journal of the EU. Recital 5 of this Regulation states that the European Commission should "review the governance arrangements of the whole project before the end of 2012 and where necessary make a proposal. This review should examine, inter alia, the composition of the European Payments Council (), the interaction between the and an overarching governance structure, such as the Council, and the role of this overarching structure." Pending the outcome of this review process, the decided to suspend any further development related to the Mobile Contactless Payments (MCP) Interoperability Implementation Guidelines (IIGs) awaiting further clarity on the governance of the Council and on the ensuing mandate of the . The already published MCP IIGs (EPC178-10 v2.0) will therefore remain unchanged and no public consultation on a draft new version of the will be launched for the time being. Any possible further maintenance will be considered within the future overarching governance structure.
Related article in this issue:
SEPA Schemes: 2012 Public Consultation is Ongoing. Effective Date of Next Rulebook Versions is 1 February 2014! Stakeholders are encouraged to provide feedback on the evolution of the scheme rulebooks by 13 August 2012
Related articles in previous issues:
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.