Optimizing Issuance for iOS and Android Digital Wallets

1. Secure Element on iOS
2. Secure Element on Android
3. Contactless Payment Flow With HCE and Secure Element
4. Activating Push Provisioning to iOS and Android Digital Wallets
5. Growing Scope for Digital Wallets Across Retail and Commercial Payments

In September 2023 the Consumer Financial Protection Bureau (CFPB) published a report on how Big Tech – specifically Apple and Google – are shaping contactless payments in the US. According to data gathered by CFPB, roughly three in four US iPhone users have activated Apple Pay, the iOS proprietary digital wallet, and as of July 2023, 5100 card issuers had entered agreements enabling their cards to be made available on the wallet. The Android ecosystem has Google Pay and Samsung Pay as the dominant digital wallets, with a projected total of over 12 million US users by 2025.¹

For issuers, enabling their cards for availability and easy addition to wallets across both operating systems is key to staying competitive. However, the way Apple and Android handle contactless payments is different, and an understanding of both approaches is important for card program executives.

In our previous blog, we broke down the mechanics of mobile-based contactless payments. To recap, at the time of adding a card to a digital wallet, the wallet ‘requests’ the issuer for a payment token, specifically generated for the specific wallet and consumer device. This token is securely stored in the mobile device’s ‘secure element’ and replaces the card’s PAN (Primary Account Number) in all further contactless payments. During the transaction, the token is transmitted from the secure element to the POS machine via Near Field Communication (NFC). In this post, we zero in on how the configuration of this ‘secure element’ differs between Apple and Android devices.

Secure Element on iOS

The concept of a secure element varies significantly between Apple’s iPhones and Android devices. On iPhones, the secure element is an industry-standard, certified chip designed to:

• Allow restricted access for robust protection
• Run a limited set of trusted applications (like Apple Wallet) and devices (such as POS terminals) with read and/or write access
• Store confidential and cryptographic information like passwords, PINs, and cryptographic keys securely

As a result, Apple’s Secure Element chip offers top-notch, hardware-level security designed to prevent unauthorized access and run only trusted applications (Image 1).

Image 1

This secure element is deeply integrated into the iPhone’s architecture, requiring close collaboration between app developers and Apple to ensure app access. This integration has meant that Apple Wallet has, until very recently, had exclusive access to store payment tokens, preventing other wallets like Google Pay and Samsung Pay from offering similar capabilities on iPhones. This is, however, changing in the EU after a recent litigation. ²

Secure Element on Android

Unlike Apple’s secure element, the Android ecosystem faces challenges due to its diversity of hardware makers and mobile network operators. To tackle this, the Secure Tech Alliance (formerly known as Smart Card Alliance)³ collaborated with Android to develop Host Card Emulation (HCE).

HCE allows a mobile application to perform card emulation transactions with an external NFC reader. Any Android device with an NFC chip can enable HCE, with security managed by the operating system and the application. However, HCE itself doesn’t contain a security architecture. Instead, the mobile application and OS must provide necessary security controls (Image 2). Today, HCE security on Android is fortified through enhanced authorization controls, device fingerprinting, and software hardening. Tokenizing card details further reduces the impact of potential breaches.

In summary, Android’s Host Card Emulation (HCE) allows any NFC-enabled device to perform card emulation, offering greater flexibility compared to Apple’s hardware-based approach.

Image 2

HCE opens NFC capability to all mobile application developers, eliminating dependency on hardware makers. This fosters multiple mobile wallet applications on Android, making in-store transactions more secure as the original card number isn’t exposed. Even if data is compromised, card details remain protected, allowing cardholders to continue using their original cards by generating new tokens.

Contactless Payment Flow with HCE and Secure Element

The payment flow for tap and pay or contactless payments using both HCE and Secure Element is identical (Image 3).

Image 3

• Initiation: The user taps their Android/iOS device on a Merchant POS terminal using NFC
• Token Transmission: The payment token, securely stored in the mobile app (Android)/secure element (iOS), is transmitted to the POS terminal via NFC
• Payment Authorization: The POS terminal sends the payment token to the acquiring bank, which forwards it to the payment network and the issuing bank for validation
• Completion: The transaction is approved or declined, and the response is communicated back through the network to complete the payment

Activating Push Provisioning to iOS and Android Digital Wallets

Card issuers can enable their cards for digital wallets in two ways. The traditional method involves manual entry by the cardholder, where they type in their card details directly into the wallet app. The user needs to manually type in all their card details (card number, expiration date, CVV) into the wallet app, following which the user might need to undergo additional verification steps set by the issuer, like entering a one-time code sent via SMS or email.

Push provisioning offers a more streamlined approach where the cardholder can directly send card information to the digital wallet with a single click through the issuer’s app, eliminating manual data entry for a faster and more secure setup. Look out for our next blog where we deep dive through the hows and whys of push provisioning.

Growing Scope for Digital Wallets Across Retail and Commercial Payments

Visa recently expanded its digital wallet capabilities within Visa Commercial Pay, a B2B payment suite. This innovation allows financial institutions to add virtual corporate cards into employees’ digital wallets, including third-party wallets like Apple Pay and Google Pay, enhancing convenience, security, and flexibility for corporate users⁴. This expansion underscores the importance of embracing digital wallet technology to stay competitive and meet today’s dynamic business needs.

In conclusion, understanding the technical nuances of payments across iOS and Android is crucial for card issuers aiming to stay competitive in the digital payment landscape. Watch this space for our next blog on push provisioning capabilities for issuers. And contact us to know how Zeta helps issuers offer cards enabled for the future of contactless payments.

References:

1. CFPB, Big Tech’s Role in Contactless Payments: Analysis of Mobile Device Operating Systems and Tap-to-Pay Practices | September 2023
2. Reuters, Apple lets rivals use tap-and-go payments as EU’s Vestager warns on tech charges | July 2024
3. Secure Tech Alliance, About the Alliance: Current Members | Referred in July 2024
4. Visa, Visa Expands Its Digital Wallet Capabilities and Availability | February 2024