Bringing Mobile Payments to Market for an International Retailer

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 2

At Clearbridge we go beyond checklists and simple requirements; we strive for the best product. We get to know our clients (their users and needs) and we push the limits of technology and design to achieve an unparalleled connected experience.

Clearbridge Mobile has developed applications that have been downloaded and used by millions of users including the world’s first Host Card Emulation (HCE) / Near Field Communication (NFC) mobile payment and gift card solution used in 4000+ retail locations. Our services include strategic consulting, UI/UX design, development, QA, and maintenance.

Strategy

Design

MobileDevelopment

ProjectManagement

Maintenance

Support

Founded in 2011, Clearbridge Mobile has emerged as a world class studio developing state of the art wearable and mobile wallet / payment solutions.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 3

Introduction

Bringing Cloud Based Mobile Payments to Market

This white paper will provide an overview of how Clearbridge Mobile brought to market one of the first mobile wallet applications using HCE and Secure Barcode. It will also cover aspects of creating an open loop wallet in the mobile payments industry going forward.

NFC is a set of standards that allow devices with a NFC chip to communicate with each other over very short distances (inches vs. feet). HCE is the ability to mimic a physical smart card (gift card, credit card, etc) using a mobile device without using the secure element. NFC using HCE has the ability to create a closed loop tap-to-pay application that can seamlessly communicate with NFC enabled payment terminals.

Our client, an international retailer with over 4,000 franchised locations required a mobile payment solution that assisted in addressing its operational challenges of long line ups and quick transactions. Simultaneously, our client needed a solution that leveraged its existing infrastructure including point of sale (POS) and payment processor.

The solution - a mobile application with mobile payment functionality built using ClearPay™. ClearPay™ is a mobile payment SDK that extends applications into the next generation of mobile payments using Bluetooth Low Energy (BLE) / NFC / and Secure Barcode. In the case of our client, ClearPay™ was leveraged to build a HCE enabled NFC and Secure Barcode mobile wallet solution.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 4

The Market is Primed for NFC and HCE Technology

The Fastest Way To Pay

NFC Enabled Smartphones Are Readily Available

Whichever solution Clearbridge deployed, we had to ensure it stayed true to our client’s operational objective of providing speed and efficiency during check out. One of the quickest methods of payment for our client’s customers is the tap & pay infrastructure in place by Visa PayWave and Mastercard PayPass terminals. By developing our client’s mobile wallet to leverage PayPass & Paywave NFC terminals, Clearbridge was able to build the quickest transact time mobile payment solution for the client.

Our client’s needs mandated that their mobile wallet solution be available on three major platforms: Blackberry 10, Google Android, and Apple iOS. With more than 50% of the North American smartphone market adopting Google Android, and the rollout of Android 4.4 to over 60% of existing Android smartphones, the market was primed and ready for NFC enabled mobile wallets. Blackberry 10 devices come HCE enabled, and in Fall 2013, Google also enabled HCE on devices running Android 4.4. Seeing this opportunity and the rise of Android 4.4 adoption, we demonstrated to our client that more than half of their mobile market already had the technology in their hands.

HCE

Android 4.4

Secure Barcode

NFC

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 5

Future Infrastructure - EMV in the U.S

2015

As the client continues to grow, they also continue to aggressively penetrate the U.S market. Payment companies in the U.S such as Visa and MasterCard are pushing EMV standard based chip & pin technology. By October 2015, fraudulent liability will shift to retailers who have not adopted EMV technology. Although chip & pin technology differs from contactless payments, historically the two have complimented each other in regards to market adoption. Predicting the contactless payment adoption trend in the U.S, Clearbridge ensured the client’s mobile wallet would be future-proof in markets of aggressive growth.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 6

Developing a NFC Tap & Pay Mobile Wallet

The systems that were involved in developing our client’s mobile wallet included NFC (client-end requesting and sending the card number), POS terminal (client-end for receiving data and transaction processing), Mobile Service Server (back-end responsible for managing the services), and Transaction Process Service (back-end for card transactions and verifications)

The transmission protocol used to communicate between the device and POS terminal is ISO14443 ver 4. This standard protocol is proprietary and only available for exclusive members.

The following pseudocode describes how the NFC communication is implemented:

At the end of the handshake between the terminal and the device, the app responds with the track data. The track data consists of a series of char-acters associated with magnetic stripe cards that is passed to the POS system for processing. This is the key information passed to the terminal for pro-cessing the payment. The details of the byte level data cannot be shared since the format is propri-etary.

Get NFC EventGet event Type from the NFC eventIf event Type is ISO14443 ver4 then get the NFC target from the NFC target get incoming data process the incoming data send the response data back to NFC

1234567

The NFC API provides a card emulator interface and like most of the system services, we are pro-vided libraries, allowing us to listen for all NFC events. If the event type is ISO14443 ver 4 (used by the retailer’s gift cards) we initiate the handshake between the device and the terminal.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 7

Testing Challenges

With NFC payments, we know whether the NFC handshake passed or failed. Testing to validate that correct data is passed to the terminal and transaction details are correctly updated required lab and in-store testing with the client’s POS and backend systems. Performing testing with the POS allowed us to uncover use cases of the app that would not typically be discovered during development.

The following are examples of the types of tests performed:

An Application ID (AID) allows a NFC Reader to tell a device which emulated card it wants to read. For devices to act as a reader, they must have a registered AID. Hurdles we faced included achieving the desired behaviour of the NFC tool depending on the correct AID in the secure element.

The NFC chipsets in the devices mandated by the client were designed by different manufacturers, which created chipset fragmentation. While building the application, the team had to take this into account ensuring that all chipsets and standards were supported for every device.

POS Terminal success/failure and application timeouts behaviors

Backend and NFC responses for invalid, inactive cards

Transaction statuses and types (Success/Fail, Purchase, Refund, Reload, Balance, Merging)

NFC success/failure responsesNetwork offline Tap to Pay

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 8

Building a Secure Barcode Payment

Securing PDF417 Using Private Key

PDF417 comes with an insecurity that allows barcodes to be easily created. There is little that can be done to stop a hacker from creating their own barcode from a 16 digit gift card. To combat this, Clearbridge implemented a private key that can be created with each barcode. The private key would be used to authenticate the barcode and cannot be replicated.

Alongside NFC, our client needed a mobile wallet solution that would be supported by devices without the NFC chip. The solution also needed to reduce time spent in line while delivering a superior mobile experience. Using our ClearPay™ SDK, we built a secure barcode mobile payment solution which utilizes an encrypted PDF417 linear barcode symbol.

PDF417 was chosen for the following reasons:

The barcode’s ability to store more information

As a commonly used barcode, PDF417 does not require a license

PDF417 has been gaining major popularity amongst POS infrastructures with major retailers, airports and Apple Passbook also utilizing the barcode

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 9

Modifying POS Terminals for Secure Barcode

In order to secure the barcode transaction, minor modifications were needed for the POS terminal to handle security. When a transaction is transmitted through PDF417 barcode, the track 2 data is encrypted by the mobile application and decrypted by the electronic funds transfer (EFT) software. Once the EFT software has decrypted the track 2 data, the transaction continues to the necessary payment processor.

PDF 417 Transaction Process

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 10

Secure Reload Account Balances

PCI Compliance

Secure Reload Process

Secure reload refers to the ability to replenish the customer’s account via the client’s mobile application. As our client’s customers conduct multiple transactions a week, it was imperative that their account balance reload automatically.

Developing a secure reload feature is complex as it touches multiple back-end systems and requires Payment Card Industry (PCI) standards compliance. The mobile application itself is not PCI compliant, and therefore cannot store sensitive credit card information.

Clearbridge Mobile worked with our client’s payment processor to store credit card data in a secure PCI compliant environment. As a result, a user’s payment information is never held in the mobile application, but rather is directly sent to the payment processor. Whenever an auto reload request is generated, the mobile app makes a call to the payment processor web service to securely reload the funds.

Handling credit card information raises issues of PCI compliance. Clearbridge faced roadblocks using our client’s existing middleware technologies. These middleware technologies were used to plug into the payment processor’s web services with the function to transfer gift card data, but did not meet the PCI standards requirements to transfer credit card data. Clearbridge Mobile worked with the payment processor to create web services the mobile application could directly plug into, eliminating the need for non-PCI compliant middleware.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 11

Client Results

Clearbridge Mobile was able to deliver the mobile wallet application with a complete UI/UX redesign within 12 weeks.

Our client decided on a pilot launch of the mobile application on the Blackberry 10 platform. Within the first 3 months the pilot yielded 30,000 downloads.

The following are statistics on customer usage and transactions during the pilot launch:

=25,000

Total Addressable Market ~300,000

~10% used the app within the first 3 months of pilot!

During Peak TimesCustomers (~30,000) used client’s app twice a week (~60,000x)

1750–2000 transactions have been made in a day — roughly more than 1 mobile transaction per minute!

Off-Peak TimesBetween 750–1000 mobile payment transactions are made each day, equalling to one transaction every two minutes.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 12

Building an Open Loop Secure Mobile Wallet Using HCE

Securing Card Present Transactions

Payment and software industries are now pushing towards building open loop HCE mobile wallets. Google significantly changed the mobile wallet landscape in 2013 with the introduction of HCE in Android 4.4 enabled smartphones. Payment giants such as Visa, MasterCard and EMV have embraced HCE and have released their first documentation on developing mobile wallets. As mobile wallets continue to evolve, Clearbridge Mobile offers insight into technological hurdles that need to be addressed.

Card Present Transactions (CPT) is where the issuer of the card agrees that the card is present at the time of transaction. CPT carry lower costs and help combat fraud as opposed to Card Not Present (CNP) transactions, which is why they are the preferred type of transaction.

Mobile CPT transactions can be secured using the 4 Pin Verification Value (PVV) method - where a code is generated when a user enters their card number into their smartphone. When a mobile transaction takes place - the phone sends Track 2 data. The track 2 data holds the PVV, which is verified by the payment processor as a CPT transaction. There are limitations in place by payment processors that only allow a PVV for a specific card to be created a certain amount of times. This creates a problem when a customer may lose their device, re-install the app, have to re-register their card or any combination, this may end up resulting in the maximum number of PVVs being created. Without the PVV, the card would than be rendered useless for mobile payments.

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 13

Mobile Transaction with Tokenization

Centralizing PVV Storage

Tokenization Creation, Storage and Validation

Tokenization

Centralizing the storage of the PVV in the cloud could essentially resolve limitations, meaning neither the payment processor nor the mobile application will have to re-create it. With PVV cloud storage, regardless of how many times a card is registered or re registered, the PVV for each card remains the same and does not need to be re-created.

The concept of tokenization is not new, however in the realm of mobile payments it is relatively nascent. The storage, creation and validation of tokens has yet to be implemented in the market. Clearbridge Mobile foresees banks Trusted Service Managers (TSM) as token generators and validators.

Tokenization is the next step to opening the mobile wallet from closed to open loop. Tokenization obscures the 16 digit private account number (PAN) data by masking it as a token so that card information is not sent as plain text. Mobile transactions cannot be conducted without the PAN, however, storing PAN data on mobile devices is a security risk – hence the creation of tokens. Tokenization does not transfer track 2 data but rather sends a token to the NFC terminal which is then relayed to the cloud. The cloud decrypts the token, associates it with the right PAN, and sends the PAN data back to the NFC terminal

Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 14Bringing Mobile Payments to Market for an International RetailerCLEARBRIDGE MOBILE 14

NAMEClearbridge Mobile Inc.

CHAT647 361 8401

WRITEsales@clearbridgemobile.com

SURFwww.clearbridgemobile.com

Company Information