The Issuers’ Guide to Mobile-Based Tap-to-Pay Transactions
2023 saw rapid growth in tap-to-pay, or contactless card payments. Mastercard reported that contactless payments represented over 60% of all in-person switched purchase transactions on their network1. Similarly, Visa reported that 45% of all their in-person transactions in the US are tap-to-pay transactions2.
Mobile-based tap-to-pay payments are an important growth driver of contactless payments. The CFPB published a report on mobile tap-to-pay payments in the US in September 20233; in it, they cited a Juniper research report stating that the value of digital wallet tap-to-pay transactions will grow by over 150 percent by 20284.
These are critical trends for issuers as they need to drive digital adoption of their cards to maintain transaction volumes. This blog breaks down the hype around mobile wallet tap-to-pay, explains the tech that makes consumers love it, and highlights the capabilities issuers need to ride this trend.
What is mobile tap-to-pay?
Contactless payments can be made using cards (by tapping your card on the point of sale (POS) machine instead of dipping or swiping it) as well as using mobile-based digital wallet applications (by adding your card to Apple Pay, Google Pay or Samsung Pay mobile wallets).
Digital wallets allow users to ‘add’ their cards to the application, which then tokenizes the card to save it securely. At the time of transacting, the user simply unlocks their phone and taps the mobile device on the POS machine. The wallet uses the mobile device’s in-built Near Field Communication (NFC) capability to communicate with the NFC-enabled POS machine and securely relay the card credentials. We explain this in more detail in the following sections.
With a card added to a mobile device, a mobile tap-to-pay transaction is different from card-based tap-to-pay in the following ways:
- Higher security: Contactless payments made using digital wallet applications are deemed to be more secure than contactless payments made using cards. This is because digital wallet applications share tokens (not PAN) with the NFC reader on the POS machine.
- Convenience: Digital wallets allow users to add any contactless-enabled card to their device, removing the need to carry physical cards in their wallet.
Another factor driving the adoption of mobile tap-to-pay is that it does not require any additional setup on the merchant’s side; any POS device enabled for contactless card tap-to-pay can also accept mobile tap-to-pay transactions.
Issuers’ view of mobile tap-to-pay tokenization
We introduced tokenization in card payments in our previous blog. In brief, tokenization replaces the card PAN (primary account number) with a payment token in information exchange during a payment. This ensures that the most valuable information that fraudsters are seeking is inaccessible.
We also covered an entity view of tokenization in card payments, with a specific focus on the issuers’ role in it. Tokens are generated by token service providers (TSPs), while issuers manage cardholder onboarding, token provisioning, and token lifecycle management.
In the case of mobile tap-to-pay transactions, TSPs issue a token to be used only from a specific cardholder device. This token enables the cardholder to use a digital wallet on their mobile device to make contactless payments at a POS terminal. This token is issued when the cardholder ‘adds’ a card to their digital wallet.
However, for a user to be able to add their card to a digital wallet, the wallet has to be registered with the card issuer and their TSP first.
Issuers’ view of digital wallet onboarding
Apple Pay, Google Pay, and Samsung Pay are the dominant mobile wallet applications that allow users to make contactless payments at POS terminals. There are significant differences in how Apple Pay works from the rest. We cover this in a subsequent blog, but for now, we will focus on how these wallets enable contactless payments in general.
When a cardholder adds a card to their digital wallet application, the wallet pings the issuer and requests for a token that is uniquely generated for the cardholder’s current device. Note that this token cannot be used on any other device or by any other user.
In this process, the wallet performs the role of a Token Requestor (TR) (also covered in the entity view of tokenization in our previous blog). To be able to successfully add a certain issuer’s cards to the mobile app, the wallet needs to:
- be registered as a TR with EMVCo
- be registered as a TR with the TSP of the issuer bank, wherein the TSP issues a unique token requestor ID to the wallet app. Please note that the wallet app needs to work with each issuer bank to register with their respective TSPs.
Once the wallet is registered as a TR with EMVCo, the issuer bank, and the issuer’s TSP, every time a cardholder adds a card from that issuer to their digital wallet, the wallet makes an API call with the TSP. In this API call, the wallet has to pass the PAN, PAN expiry date, and consumer device information (secure element ID, unique device identifier, Mac address, operating system version, etc.) to this API and receives a token and token expiry date in response.
The wallet stores this token in a safe and secure manner on the mobile device. There is a difference in how Apple stores these tokens on iPhones compared to Android devices. We will discuss the differences in the next blog. For now, let us note that this token is stored securely on the card holder’s mobile device on a ‘secure element’ (the technical term for Android devices is ‘host card emulator’).
Mobile tap-to-pay transaction flow
When a cardholder selects an added card from their digital wallet and taps their phone on a POS terminal, the wallet passes the token and token expiry date received from that issuer’s TSP to the terminal. The terminal, in turn, initiates an ISO 8583 payment request to the network scheme – setting off the standard card payment authorization flow. But let’s look a little deeper at what happens during this one-second tap.
The POS terminal communicates with the cardholder’s mobile device using NFC technology. The mobile device has an NFC controller, which can communicate with the NFC reader on the POS machine. The NFC controller tries to access the ‘secure element’ on the mobile device; to allow this, the cardholder needs to unlock the phone and authenticate themselves using the phone’s native security capabilities like Face ID, Touch ID, passcode, or device unlock pattern, before tapping the phone.
Upon tapping, the ‘secure element’ passes the token and token expiry to the NFC reader. The POS terminal initiates an ISO 8583 payment request to the network. This ISO 8583 message has a few additional fields to indicate to the network scheme that a token, token expiry, and other details are being passed in the request.
The typical payment flow is then initiated with the acquirer, network scheme, and issuer. Upon authorization, the POS terminal finally receives the payment authorization response code in ISO 8583 format, and the cardholder can see the payment status on the POS terminal and their mobile device.
You can read more about the information exchange in ISO8583 format in this previous blog.
Issuing cards for the future of contactless payments
Trends and expert forecasters have called 2024 the year of tap-to-pay transactions, anticipating a perfect storm of consumer demand, merchant enablement, and technological advances that make issuance cost-effective and fast.
The larger issuers in the US have been aware of the trends around contactless payments and most of them today issue contactless-enabled cards by default. However, competing in the mobile tap-to-pay market involves distribution through digital wallets, which are currently dominated by tech players. Juniper Research estimates that the number of unique contactless mobile payment users globally will cross 1 billion by 20245 and issuers are competing to position their cards as top of wallet across these users.
Our next blog digs deeper into the digital wallet market and unpacks the two dominant technologies underlying digital wallets – iOS and Android. Contact us to know how Zeta helps issuers offer cards enabled for the future of contactless payments.
Footnotes
- Pymnts.com, Visa, Mastercard Earnings May Spotlight Contactless Payments Momentum | PYMNTS.com | October 2023
- Pymnts.com, Visa Direct Transactions Grow 20%, New Flows a $200T Opportunity | PYMNTS.com | January 2024
- Consumer Financial Protection Bureau, Big Tech’s Role in Contactless Payments: Analysis of Mobile Device Operating Systems and Tap-to-Pay Practices | September 2023
- Juniper Research, Digital Wallets Market Report: Growth, Trends 2023-2028 | July 2023
- Juniper Research, Contactless Mobile Payments to Surpass 1 Billion Users for First Time in 2024 | Press | November 2022