New implementation guidelines published for mobile contactless payments

Written on 2 Aug 2018

How will the payments industry achieve a consistent customer experience? What are the different service, technical and security aspects involved in mobile contactless payments? How can MCP processes be implemented in compliance with the relevant legal regulations?

These are just some of the questions addressed by the updated Mobile Contactless SEPA Card Payments Interoperability Implementation Guidelines published by the European Payments Council (EPC) on 2 July 2018.

The mobile contactless payments (MCP) ecosystem has undergone rapid change over the past couple of years. We have seen new entrants join the market and new technologies emerge. In a world where the number of mobile devices now exceeds the number of people on the planet, we are becoming more accustomed to using our mobile phones to pay, including in a face-to-face situation.

In addition to the digital evolution, the payments industry is also grappling with new rules and regulations impacting this space (such as: PSD2 and the associated regulatory technical standards (RTS); GDPR; and the Interchange Fee Regulation). Following the setting up of a multi-stakeholder group and a three month consultation process, the payments industry will welcome these updated Guidelines reflecting the new technologies and regulations in this sector.

This is a hot topic which has also been on the PSR’s radar for some time. In its report published on 31 July 2018, the PSR acknowledges that MCPs are still a relatively new development and says that it will continue to keep the sector under observation and take any action necessary to protect competition, innovation and the interests of people and organisations that use payment systems in the UK.

Objectives of the Guidelines

The document is intended to provide “interoperability implementation guidelines for MCPs”. But what does this mean in practice?

The Guidelines aim to create awareness amongst the payments industry of the various aspects to be considered in the development of MCP solutions. The intention is to help stakeholders understand where the risks are in order to create or maintain an adequate level of trust in MCPs. The Guidelines may also serve as a reference basis for stakeholders (both consumers and merchants) making certain implementation choices.

The Guidelines focus on interoperability between the different stakeholders involved in the MCP ecosystem in the co-operative space. In particular, they look at both life cycle management and the technical interoperability of an MCP transaction.

The Guidelines cover the following:

  • a description of MCP use cases;
  • the roles for the main stakeholders in the MCP ecosystem;
  • the service model alternatives for MCPs;
  • the main architectures for MCPs;
  • how to implement MCP applications on the same mobile device (with particular emphasis on the mobile wallet concept); and
  • the main technical and security issues and the related dependencies impacting the service model and some aspects for the evaluation and certification processes.

The Guidelines are complementary to the existing technical specifications and the recent standardisation work carried out by industry bodies in the Near Field Communication (NCF) ecosystem (in particular, the SEPA Cards Standardisation Volume 8).

What are the most significant updates?

The scope of Guidelines has been extended

The Guidelines previously only covered contactless mobile payments based on NFC technology. Their scope has been extended to include new technical solutions, such as:

1. Cloud-based Host Card Emulation (HCE)

HCE technology enables mobile devices to emulate a contactless card.

For all mobile device operating systems that support HCE, any application in the mobile device can directly access the NFC capabilities to communicate with a merchant’s contactless point of interaction. HCE has therefore eliminated the need to have a Secure Element on the mobile device – consumers can just download an app and enrol.

However, cloud-based payments can present some challenges for MCP issuers, including: (i) the need to meet additional security requirements due to there being no Secure Element; (ii) their availability predominantly for on-line transactions; and (ii) the fact that HCE is not available on all operating systems.

2. New Secure Element types such as embedded Universal Integrated Circuit Card (eUICC) and integrated Secure Elements

The eUICC is a new hardware version of a UICC that is non-removable and built into the mobile device by its manufacturer. It offers the user the possibility to change its mobile network operator over-the-air, without needing to physically change the embedded UICC itself.

Whilst there are a number of advantages of eUICC to MCP issuers (and eUICC it is expected to eventually replace the UICC), the Guidelines also identify certain challenges. In particular, relating to the interoperability between different MCP issuers using different Trusted Service Managers and the set-up of the necessary Service Level Agreements between the MCP issuers and the mobile network operators / Trusted Service Managers.

The Guidelines now incorporate the concept of ‘strong customer authentication’

From 14 September 2019, the RTS for strong customer authentication (SCA) and common and secure communication (CSC) under PSD2 will apply. Article 97 of PSD2 mandates the use of SCA for MCP transactions, subject to the exemptions provided for in Article 98 and now set out in the RTS. The guidelines now incorporate the concept of SCA, noting that the combination of a dynamic card authentication with a cardholder verification method provided by the consumer creates an SCA method.

However, the Guidelines recognise that more work is needed to assess the impact on MCPs of PSD2 and the RTS on SCA, and of the Interchange Fee Regulation, specifically as regards the customer experience.

The Guidelines introduce new concepts such as ‘tokenisation’ ‘payment card manager’

Tokenisation describes the use of payment tokens instead of real payer related account data in payment transactions. A payment card manager is a consumer visible mobile application (for example, a wallet app) used by the consumer to manage which payment card(s) will be used for conducting MCPs. 

Osborne Clarke comment

With standardisation across the payments sector being the ultimate goal, these updated Guidelines represent a positive step towards a more secure, convenient, consistent, efficient and trusted payment experience for customers across Europe.

In light of the rapidly changing market and the increasing amount of regulation impacting this space, we endorse the stakeholder group’s recommendation that the Guidelines are regularly updated to reflect the state of the art related to MCPs, and to keep them aligned with legal developments in this sector.

We expect that the EPC will now seek to further encourage market take-up of MCPs, both generally and within those sectors (and countries) where uptake has been lagging. To this end, the Guidelines indicate that certain technical specifications for a “Smart Secure Platform” (based on integrated secure elements) are expected to be published in Q3 2018.