Mobica, not just your token software company for digital payments?

As many of you have probably observed recently (both in media as well as in the surrounding reality), Mobile Payment tech is becoming an increasingly popular demand. Google, Samsung, Apple Pay and also more recently Xiaomi with Mi Pay, are probably the most recognisable, but did you know that Mobile Payments can be provided by almost any company who meets the specific requirements?

So the questions remain: How does it work? Is it safe and what is Mobica's involvement?

Why Mobile Payments?

Current access to digital payments already provide a wide range of possibilities: transfers via bank account, person to person (via SMS, e-mail, phone number), debit, prepaid and credit cards. But do we need more options?

Smartphones have become one of the most essential daily accessories in today’s world, its importance to the consumer lies in its variety of benefits to the user, and so the decision to move everything digitally in the form of mobile applications, has been at the forefront of many companies digital strategies. Digital payments are no exception and by converting the service to the form of an app for a Smartphone, it can provide further benefit by increasing the security of how we transact money. Consider the following predicament - when would you first realise that you have lost your wallet with all your personal bank cards and more? The most likely response would be the next instance you try to pay for a transaction. This situation leads to cancelling all your lost bank cards and then a long period of time, which could stretch weeks, to receive any replacements.

Mobile Payments dispel this problem. If you lose your phone, you would probably notice this immediately. Any payment mechanism is also protected by additional authorisation processes, so even if the phone was stolen, it is not that easy to use it for payments. When you inform the bank or Mobile Wallet service provider, the payment on that phone will be blocked immediately (and the digitised card’s archetype will stay valid and ready for use). If you then want to access your account on another phone, the on-boarding process takes a matter of minutes rather than days or weeks. Blocking contactless readiness on the card (for security reasons) is not as easy or efficient in comparison to blocking the service on a phone (which requires just one click). There are even more arguments that could encourage the markets to develop mobile payments even further, but there is not enough space to elaborate on it here. It is certainly worth mentioning how it actually works, because this gives you some idea of where the benefits come from.

What makes it secure?

Mobile Payment Applications do not store real card data. Instead it stores something called a “Token”, which replicates the look similar to the card’s PAN number but without the drawback. If the token is stolen it cannot be used for payment. It will be recognised by the external payment systems but will not pass the transaction authorisation process without proper certification. This is because, with the token, the mobile application gets a set of single use keys (single as there is one key per payment), which with additional PIN/password from the user and device metadata are used to generate proper transaction cryptogram. Authentication is executed on multiple levels: something we know - the PIN, something we have - the phone, something we get - the token and the set of single use keys. Of course the particular implementation of Mobile Payment solution may vary but the core security approach remains.

Mobica's involvement in Mobile Payments

Mobica started developing in the Mobile Payment development arena when it was just an idea and there weren’t any proper environments on the market for its support. Our first projects were around Proof of Concept solutions with the use of Secure Element (SE) on SIM and SD memory cards. The difference with Host Card Emulation (HCE) (where SE is in the cloud, which were widely available with Google Android 4.4) is that the first one was actually another version of physical contactless payment cards and its security was also the same (all card data was stored on the device).

With HCE provided by Google, the game actually started for real and we were right in there at the beginning and in 2014 we provided the SDK platform-independent payment solution. Right now we are helping one of our customers to build the entire solution which involves both the back-end and front-end parts.

After acknowledging that with commercial projects we may not always have access to the whole picture, we decided to build our own solution in form of a Mobica Internal R&D project. This project allows us to learn all aspects of the complex payment solution; its interparts, protocols, flows, certification requirements, etc. We believe that knowledge and understanding of this opens new and exciting opportunities, from which we all can only benefit.  

Contact

Looking to improve your security or mobile payment solutions? Get in touch and find out how Mobica can help you! Drop a quick email to sean.oconnor@mobica.com

This was written by our expert in Mobile Payment Technologies, Mariusz Stolarski