Welcome to this episode of Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations at the PCI Security Standards Council. Today I'm joined by my co-host for the day, Director of Communications, Simon Kleine, at EMVCo. And we're having a conversation with Arman Aygen, Director of Technology at EMVCo, and PCI Security Standard Council's VP of Solution Standards, Andrew Jamieson. Today, we're going to be talking about the valuable partnership and collaboration between EMVCo and PCI SSC. We're going to take a deeper dive into mobile payments, including Tap to Mobile, and also PCI SSC's MPoC standard. Let's kick off by taking a moment to explain the relationship between our two organizations, EMVCo and PCI SSC. So, Andrew, let’s start with you. How do they collaborate?
Andrew Jamieson: So EMVCo essentially helps specify and create standards around how payment transaction works, in certain contexts - you've got with chip cards, and also with things like secure remote commerce that you work - and so how that transaction works in terms of the card data that comes off the card, and how the card is secured using cryptography as well and validated. And then from a PCI SSC point of view, we look at how that data from that point of acceptance is then secured throughout its storage transmission and processing throughout the lifecycle. So, we're kind of two halves of a whole in terms of making sure the transactions are interoperable, secure, and seamless.
Arman Aygen: And I'm glad you mentioned cryptography because that's another area where we discuss the wave of quantum computing coming out and being decked out, so we keep a tab on the evolution of that, and how we need to evolve our technology together with that.
Simon Kleine: Obviously a lot we could be talking about between the work between EMVCo and PCI SSC. What we're keen to talk about today, though, is the work that EMVCo has been doing on Tap to Mobile, and also how PCI SSC has been approaching that as well. Arman, could you elaborate on EMVCo's work?
Arman Aygen: So, what we have through our advisors participating in our meetings and giving us input on where we should be going and addressing: so, we had a few merchants coming to us and saying, you know, they would like to be able to use mobile devices a bit more for payment acceptance. We've done a lot for using mobile devices as a payment instrument, and for acceptance, the user experience has still been quite fragmented. I think you're going to tell us a bit more about how you're securing the software solutions that are going to run on those devices. What we have been doing is approving dedicated hardware. And when we look at mobile devices, you don't necessarily have dedicated hardware, and that hardware might not have been designed with payment as a primary function. And they might not provide the same seamless interaction as you would have with a terminal. So, we had an early adopter program where we had preliminary tests done looking at what would be possible in terms of user experience, and give that visibility to the industry in terms of, if you want to deploy that solution, what kind of devices would give you an acceptable user experience? And at the same time, you can't improve what you can't measure, so giving them indication on how the next versions of those could improve and become more seamless.
Andrew Jamieson: Yeah, and so we do get a lot of questions on this in terms of how does the work that EMVCo and PCI SSC do relate when it comes to, particularly, mobile acceptance. And so, it comes back to that kind of two sides of the transaction. One of them is, is the transaction possible? Can it be performed seamlessly? Is it functionally interoperable? Do the mechanisms that underlie how that transaction is performed, do they allow for a secure transaction to take place? And that's absolutely what our colleagues and friends at EMVCo are doing. And then, from the PCI SSC point of view, how does that work in a secure way, in terms of securing the card data from the point of acceptance onwards? And so, when we were looking at mobile acceptance scenarios, you've got these subsystems, the NFC thing, let's call it, that's on the phone, that reads the contactless card. How well that works, how that works, that's defined by our colleagues at EMVCo. And then once that data comes in, how that data is secured, how the transaction is secured, how that software manages and communicates the card data, accepts the customer PIN, perhaps, does that in a secure way, transmits that off to the backend, is processed in the backend in a secure way, all of that's defined by, for example, our MPoC standard, at PCI SSC.
Alicia Malone: So, Andrew, EMVCo is using the term "Tap to Mobile" here, and "SoftPOS" is another description that's frequently used in the industry. But PCI SSC is talking about Mobile Payments on COTS, or "MPoC." Can you explain the PCI MPoC standard, and do you think a single term will finally be agreed upon?
Andrew Jamieson: Okay, it's a great question. I'm going to answer the second part first, I guess, in that because we are these two parts of a whole that I've been talking about, I don't think we'll have a common term, or a term that's used in the same way for the standards between EMVCo and PCI SSC, because they are different standards. They're different things. They look to secure different parts of the transaction, from the functional and interoperable side to the security and payments processing side from PCI SSC's point of view. And that's what we do with MPoC. And so, what MPoC is aiming to do is allow for people to accept payments in a secure way on a mobile device. And we talked about the EMVCo standard in terms of making sure that there is a possible experience with receiving and accepting cards on mobile phones and tablets. And then MPoC looks at how that's secured with the application that sits on the mobile phone or tablet, and with backend instruments as well. So, we have different concepts in terms of MPoC software, which includes an MPoC application that sits on a mobile device. We then have this thing called attestation monitoring, which looks at the environment in which that application executes. The mobile device itself, the operating system validates the application is the correct application, there's no malware, perhaps it's running in that environment, that the transaction can be performed in a secure way, is done by the attestation monitoring service. Then you have the overarching MPoC solution that then includes operational aspects and so forth, of how all of that transaction works.
Arman Aygen: And the operating volume with which it works - that level one specification that we've defined for the terminals - that specification doesn't change. The only thing that we've done is defined acceptance criteria for those specific devices, and we call them now "reduced range." So, for the traditional dedicated hardware to have seamless experience-
Andrew Jamieson: Like a standard payment terminal, you mean.
Arman Aygen: That's correct. It would be four centimeters and for these new devices, that might be commercial, mobile phones, could be dedicated enterprise hardware that is used for other functions, like, I don't know, inventory or some other things. They also have NFC, and they could also do payment, and it's like, "Why not? Let's try payment." We have defined this reduced range as one centimeter, and reduced range two centimeters, to give an indication of what's possible, and how close you need to get to that device in order to have the payment experience done. And providing that feedback to them, hopefully, will help these two centimeters get closer to the four centimeters, so we can be comfortable again.
Andrew Jamieson: Yeah, I know that my experience with these things is that in the world of today, quite often these NFC things, I believe you called them “antennas”, I'm going to use that term, I like it. These antennas you need to have the card very close to, you know, basically touching essentially the mobile phone or something. And so, I think what you're saying is you're looking to validate that these systems can read a little bit maybe further from a distance. I often find that people who aren't in payments, have very much taken on board the tap in tap to whatever, tap to pay, these sorts of things and they think they do have to literally touch the payment device. But I think what you're saying is there is a volume, a space above the device, above this antenna thing that you talk of, that can read the card without it touching. What magic is this?
Arman Aygen: It's contactless.
Andrew Jamieson: Contactless. That’s amazing.
Simon Kleine: Can you explain really the relationship between contactless and Tap-To-Mobile and where EMVCo is now going with Tap-To-Mobile in terms of an extension of the work that had been done with contactless?
Arman Aygen: So, it's interesting that you mentioned the increased adoption of that contactless behavior during the pandemic. I think there were like two phases. Probably the first one was right before with transit operators accepting open payment. And you could use your bank card or your mobile phone in order to make those transactions. And basically, the convenience that it brought kind of instigated that behavioral change from the people in adopting the contactless. And then I think the pandemic happening and people not wanting to touch the terminals was a second layer of trusting the mobile device a little bit more in terms of using it as a contactless payment instrument. What we did with the early adopter program was do a first layer of tests in order to see what these devices were capable of. Because there's no point in us coming up with: we're going to have a reduced range of 3 cm, and then suddenly realize that-
Andrew Jamieson: No one can do it.
Arman Aygen: No one can do it. So, we had to see what was in the range of the possible, and what are the current devices in the market today capable of, and what is the acceptable experience? Now, the card is a certain size. Because of the size of the card, we have different positions in which the transaction can happen, because not all the cards have the antenna in the same place, and not all devices have the antenna in the same place. So, there is a combination of those two in terms of the position. And the size requires us not looking at just the distance, but we need to look at the operating volume with some sort of cone that would be coming out of the device. And that's where we have found that what was possible was the one centimeter. And I think that's going to stay for, I don't know how long. Hopefully, this will improve over time. But the two centimeters, we see those devices probably could do better. And we will be reviewing the initial results that we're going to be gathering next year during the launch of the program on how the roadmap of the reduced range will be going forward.
Alicia Malone: So, we've looked at the work that EMVCo is doing to enable reliable, seamless, and secure payments worldwide. Andrew, what can you tell us about the PCI SSC MPoC initiative, and how does it complement the work conducted by EMVCo?
Andrew Jamieson: Yeah, I think they do very much complement each other. And I think in a similar way, where you're talking about your program of making sure you understood what was possible within these devices - to read within a certain range, what is possible with the antennas that they have on these systems - when we're looking at using these devices to accept transactions in a secure way, we needed to look at how can that be done on these systems? You know if we look at kind of "traditional terminals,” from the EMVCo side of things, we have that increased, contactless range but also from the PCI SSC point of view, they're dedicated payment terminals. They're built for a single function, and they're designed to do that in a secure way, and they meet standards such as our own standard PCI, PTS, POI or Point of Interaction. These devices, these mobile phones and tablets, they're not that. And so, with MPoC we've had to really think about how do you accept cards, how do you allow for PIN entry on one of these, multi-purpose commercial off-the-shelf devices in a secure way?
And so, with our MPoC standard we've built out the ways you can do that, not only securely, but also in a modular way. So previously we've had standards, like SPoC for PIN entry on COTS; we've had CPoC for contactless card entry on COTS. What we've done with MPoC is really kind of combine those two standards. It's not a direct kind of merging of the two standards, it's taking a step back and looking at what we've done with those and how do we allow for both PIN and card entry through contactless on the same device in a secure way? But in those previous programs and standards, we've had a lot of feedback from the market in terms of, "well, we'd like to be able to do this in a more flexible way, in a more modular way, in a way that allows people to work within, you know, different types of business models." And so, we've tried to allow for that in MPoC as well with those three different types of MPoC products that we do list: the MPoC software product, the attestation and monitoring service, and the MPoC solution. So, people can build out SDK type solutions within an MPoC software product and then applications can integrate those SDKs as part of an overall solution. People can provide just, if you like, the attestation monitoring service and that can be a listed service that people can consume, can utilize as part of an overall MPoC solution. We've also looked at the way we create the standards and tried to write the requirements in an objective way. So rather than saying, "you must do it this way," we said, "It must be secured in this way," and then people have the ability to look at how they might do that in different ways that are going to suit their type of implementation.
Simon Kleine: You've given us a really good understanding of the work that EMVCo and PCI SSC have been doing. But are there other bodies and organizations involved in Tap-To-Mobile?
Arman Aygen: Well, we mentioned NFC. Having the NFC Forum would be the go-to one, especially around the ranges at which it is working. NFC Forum is looking at the technology for a variety of use cases. It could be automotive, it could be access control. Have you ever used your mobile device to get access to your hotel room? You can have your card key.
Andrew Jamieson: I have not, this sounds amazing.
Arman Aygen: I just did that here. And payment is one of those verticals. So, we have a close collaboration with NFC Forum as well in terms of exchanging information around what it is that we need to make payment possible? And as the NFC Forum is looking at expanding and growing that technology as well.
Andrew Jamieson: And from the PCI SSC point of view there's lots of entities we interact with. Obviously, we work in a payment ecosystem, so we have the payment brands and the payment accepting entities that we work with, who you know, are either founding members of PCI SSC or work with us on an affiliate basis. We also have our Participating Organizations that we work with that include a range of different payment participants, from acquirers and issuers to technology vendors, to merchants, to people who are tangentially involved technology providers. People who create, for example, the chips that go into these types of devices, the software that is used on these sorts of systems, all part of our Participating Organizations. All people we look to when we're creating our standards, to provide us with the input to not only help us understand what's possible, what's achievable, what can be done in a secure and interoperable way, but also to make sure that our standards are the best they possibly can be when we release them.
Arman Aygen: I think that was a really good input in terms of the advisors with whom we work, and that's part of our process as well at EMVCo. So, whenever we initiate the new specification or major revision, this is discussed in exchange with our advisors that gives us input in making sure that what we come up with is something that is actually addressing a need in the market and going in the right direction. So, we had lots of input before we came up with those acceptance criteria.
Simon Kleine: You mentioned NFC Forum. We actually spoke with Mike McCamon, NFC Forum's Executive Director last week to get his view on this. Mike, thanks so much for joining our podcast call today. Very keen to get the NFC Forum's views on Tap to Mobile. How does NFC Forum view the development of Tap to Mobile and what do you see as the opportunities and challenges with it?
Mike McCamon: Generally speaking, I would say that our membership sees the Tap on Mobile initiative as probably the next great disruptor of the payment space. So, I don't have the chart of, you know, all the things that are disrupting payment. You can think of going online and using credit cards online. If you can think of just being able, you know, we had mag strip then chip and then contactless, but we see Tap on Mobile as a very disruptive innovation. And we think it's going to revolutionize the way people do payments today.
Everyone probably listening to this podcast is very well aware of this, but just from our vantage point, you know, we see the ecosystem of payment terminals as stationary powered devices. You know, think of the terminal you pass through when you get on the train or that station that you go to at retail at the checkout stand to actually do a payment, and basically untethering that experience from those two places, we think is going to revolutionize a couple different aspects of our lives. And we think that, obviously everyone knows that retail has been having kind of a rough go at it since the pandemic. We think this might be a really interesting innovation for retail providers to begin to rethink the customer experience to, you know, meet customers where they are in store and be able to take care of all that business without having to go back to some sort of a checkout station. So that gives them that freedom and the really, really big opportunity- and there's a lot of other things we’ve got to solve to make this happen - but we also think Tap on Mobile has a unique opportunity to really disrupt the payment ecosystem in the developing economies. So, when you think of our current infrastructure payment tunnels, a lot of them are, you know, again, stationary in fixed locations, they require power, wire connectivity. I can see all those types of things. But of course, if I had my handset and some payment terminal, I could be anywhere to take payment. I can be in any neighborhood. I could even be in some of the slums in some parts of the world and still have internet connectivity. And so, we think it poses a really incredible opportunity for the space.
Now it does come with some risks and many of them are out there that we already know. Certainly, you know, putting software on a phone makes the ecosystem a little bit less stable. But we'll have to kind of think through making sure reliability works and that things, whether it's reliable and safe and secure, all those things. But the other one, which, you know, we may have forgotten now, but you know, five to ten years ago when contactless got rolled out, one of the things that everyone complained about is our tap. Like where is the place I tap? So, you see people fishing with their handset and everything. This is still going to be a problem because Tap on Mobile is now, “I've got a different payment terminal, now I've got my handset and your handset or my wearable and your handset”? And so, we're going to have to think through how do we help software developers and the industry help customers know where they're supposed to tap so they can have the successful experience just like they have today on stationary payment terminals, which not only are, you know, we well understand them now, they're well logoed now. And they also have very, very long range because of the power abilities of those payment terminals compared to, you know, battery powered handsets.
Simon Kleine: What's the role that the NFC Forum has in collaborating with the payments industry to support the development of Tap to Mobile?
Mike McCamon: Yeah, sure. So, the NFC Forum is a very different organization than I think a lot of trade groups are, that I've worked with over my career. And I would say our DNA is really around collaboration. A lot of trade groups that I'm familiar with and over my career have very much a “we own the whole world” kind of mentality. What's been very welcoming, both in the NFC Forum and in the conversations we've been having over these past 24 months, or actually the last several decades, is that there is kind of in the payments industry a very strong willingness to collaborate. And so, you know, while we have done, we were very proactive in reaching out to groups like EMVCo for instance, when we started looking at our roadmap and said, “hey, like what can we change about NFC technology that would improve the user experience for payments?” By the way, we do this for the automotive market. We do this for access control. We do this for a variety in transit. We’re always asking these questions. And so, we try to be very proactive and reach out to industry and where possible collaborate, where possible harmonize, where possible combine programs to make it easy for device manufacturers, for system providers. And so, we try to play that connecting point because just like we do with the actual connection of the device into the infrastructure, we think we can play a connecting role in trying to get all these different groups working together to improve the user experience and make these ecosystems be much more healthy and more useful and safe to consumers.
Simon Kleine: No, I think you really hit the nail on the head where, in terms of collaboration, I think we all agree with that.
Alicia Malone: So how quickly will we see TTM solutions in everyday merchant use? Will there be a significant transition period, do you think?
Andrew Jamieson: Yeah. So, when you say “TTM”, Tap to Mobile, from the point of view of PCI SSC, we have our MPoC standard, which exists at the moment and is out there. We have FAQs that we regularly publish, and we know that there are solutions under evaluation right now. I expect that once those solutions start to be submitted, we will see them popping up quite quickly. I would expect there will be a number of solutions we will see, probably towards the end of the year, that will be out in the market. And of course, there's solutions that exist at the moment that are implemented but might need to be validated against our standards as well. I think that also when it comes to how the market's going to receive and accept these things, I don't want to prognosticate on which way things are going to go, except to say that we do have some history we can look to here in previous standards and specifications.
We've seen payment cards, literally, the plastic cards that you use to pay with move from being just a plastic card to being other things, and that's once again part of the great work that EMVCo does in terms of specifying how this all works. And you can take your card and you can load it onto a mobile phone and people do pay with their mobile phone or a ring or watch or whatever it is these days. However, people still carry plastic cards because there is a use and a purpose for that. They're dedicated to that purpose, and that dedication to that purpose has value. And I think we will find that there will be, rather than everything moving across to SoftPOS or, you know, MPOC type solutions, we're going to see that there will be an opening of the market, if you like. There will be people who start to use these methods of accepting payments that didn't previously have terminals. And certainly, there will be some areas where these types of solutions will supply terminals, but I don't see terminals going away any time soon because there's value to having a dedicated payment device. There's value to having something that is multipurpose for accepting payments as well. So, to summarize, to answer your question, I think we're going to see some of these things very quickly in the market and I'm really excited about that. But I don't think that they will remove the opportunities or the use cases for traditional terminals anytime soon.
Arman Aygen: I think that's a really good point in terms of the use cases, not just that they are coming about. And when we see the early solutions coming out, that they're really not replacing the existing terminals. Terminals are there. They will be there for the foreseeable future because they provide a certain value. Now, what we're seeing really is these additional use cases where people wish they could have a terminal, but they don't have one, so they could load the software on a mobile device, start accepting payment on a temporary basis, or it could be social gatherings, like a garage sale or your kid's sports club having an event or something like that. So, it's mainly the expansion of going beyond the traditional use of the terminals. And, at the moment, the initial experiments that we see happening and the feedback we receive from the market is we’re pretty much shooting in the dark in terms of selecting which device they want to run it on. And that is the clarity that we're trying to provide and hopefully that's going to help these solutions be deployed a little bit more in the market where they could hopefully come to EMVCo and say, "hey, I want to put this solution and use it. What device should I use?" And then see the capabilities of the different hardware that are available and know what experience they could get out of it.
Simon Kleine: Okay. Sounds like an exciting future with Tap to Mobile. Is it job done, or is there still more work to do going forward?
Andrew Jamieson: I think there's always work to do moving forward. I think from the EMVCo side, and I'll let you speak to this, Arman, you mentioned, you know, you're at the point where you're accepting things, but maybe they can get better over time. And certainly, from our point of view, technology in terms of how mobile phones and tablets and commercial off-the-shelf devices work, that changes all the time. There's some really interesting technology coming up and new versions of operating systems that will help further allow for securing transactions and securing payment data that is associated with those transactions. I think we will see people do interesting things with these. I always find that when we create our standards, we make them as open and as objective-based as we can, but it's always interesting to see what people do with those things. And so, we'll start to see the implementations, and those implementations will inform how we progress our standardization in this space, and that will feed into new implementations as well. And I think that, that whole, you mentioned exciting, I think it is exciting where is this going to go, where payments are going to go, where we are going to find the ability to use payment cards, use commercial off-the-shelf devices, find ways in which we can facilitate people to, you know, purchase the goods and services that they want in the best, the most seamless, the most interoperable, the most secure way possible into the future.
Arman Aygen: And I see this evolving definitely because we are starting to measure and get feedback on the capabilities of those devices. And these devices were not designed with payment as a primary function. And you can't improve what you can't measure. So, by having these initial measurements done, we're hoping that the next versions will improve over time. We've talked about cards and mobile. It could be mobile and mobile. And as we see the evolution of these solutions and the next versions coming about, we're really looking at this reduced range getting as close as possible to the seamless four-centimeter experience. And we will be looking at the revision of that throughout next year, and we will announce an update on the road map, second half of next year. And we have new advisors joining EMVCo as well. So, we have STMicroelectronics, we have Infineon, that have joined us. And they also provide us with feedback on the capabilities of the different components that they provide. And this feedback is taken into account as well.
Simon Kleine: Well, sounds like a good point we've got to, and more to look forward to. So, thanks very much to you, Arman, and to you, Andrew.
Arman Aygen: Exciting times.
Andrew Jamieson: Yes. Thank you very much.
Arman Aygen: Thank you.
Alicia Malone: And we certainly appreciate you guys lending your expertise to our conversation today. So, thank you so much.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, or Stitcher.