Blog article
See all stories ยป

Eliminating CNP from eCommerce - cont

Let's for a moment think outside the box and try to forget about using the SE in the mobile phone as a secure storage for the card info ... consumers already have the proper secure elements in their cards ... there is too much politics involved in arguing about who controls the SE in the mobile phone, and that battle will never be won or the acceptable compromise between Issuers and MNOs may never be achieved ... so let's forget about using the NFC enabled mobile phone in so called 'card emulation mode' 

My personal view is that since many Android phones on today's market are already NFC enabled, they could be used simply as the personal consumer contactless card readers during e-commerce transactions to interact with the existing contactless chip cards.

Mini paradigm shift in a way, which would ideally open the doors for the 'card present' e-commerce transactions, if the big players like payment schemes and card issuers would be willing to play along and make the effort to certify such solutions.

 

5926

Comments: (4)

A Finextra member
A Finextra member 14 October, 2013, 09:53Be the first to give this comment the thumbs up 0 likes

You (almost) described "Cloud POS" - https://www.finextra.com/blogs/fullblog.aspx?blogid=8336

With some tweaks to the flow and comm. channels, that makes perfect sense. How quickly and eagerly the card networks jump on board is another story (now that they are married to the idea of "tokens" that give them perceived control... - in fact, "Cloud POS" gives them a much better and needed role to play in e-comm...)

A Finextra member
A Finextra member 14 October, 2013, 12:45Be the first to give this comment the thumbs up 0 likes

Alex

The 'token concept' you mentioned schemes are now pushing as their favorite in my view is not a replacement for something like this, but is in fact a perfect complement. You would hope that in those organizations (we have all dealt with them on a business and technical side in our business adventures and startups) they would have enough brain power to realize that.

For example at step 13 in the flow which I proposed in my post, the online merchant side would still get 'token' with the final approval containing the EMV TC cryptogram (instead of the real card data) so that in their system they never see nor never store any cardholder credentials.

I took a look at you blog post about 'cloud POS'. It seems to me that great mind think alike ;-)

A Finextra member
A Finextra member 14 October, 2013, 12:57Be the first to give this comment the thumbs up 0 likes

Milos, one of the token architectures I saw was based on providing consumers with dynamic 16-digit tokens BEFORE the transaction. The token would then be used in leu of a card.

With the "Cloud POS" approach, the customer can use any generic identifier (e.g. email) when initiating the transaction, hence no need for tokens at that stage. As you correctly pointed out, a token can indeed be used after the transaction. 

The reason the card networks want to use tokens before the transaction is control - to get a grip on "card on file" competition (such as PayPal)... It's not about PCI, fraud, etc... At all!

A Finextra member
A Finextra member 14 October, 2013, 15:52Be the first to give this comment the thumbs up 0 likes

Sure issuing the 'token' at the beginning of the transaction will also work, but I am unsure if it would maybe require changes to the current processes and infrastructures. 

Now hiring