A new PCI standard for using off-the-shelf mobile phones and tablets to accept tap-and-go payments should open the door for more contactless transactions. How much more is another question.
It’s the ultimate convenience for a harried merchant: just whip out a regular smart phone or tablet and ask the customer to pass her contactless credit or debit card in front of it. No swipe, dip, PIN, or signature needed. Instantly, there’s a ding, and, voilà, transaction done.
That scenario isn’t appropriate for all merchants. But a new standard released last month by the PCI Security Standards Council could pave the way for more acceptance of contactless payments with no more hardware needed than a merchant’s off-the-shelf mobile phone or tablet equipped with near-field communication technology. The only other thing the merchant would need would be a PCI-approved processing application on the device.
The standard is dubbed Contactless Payments on COTS (for commercial off-the shelf devices), or CPoC. It spells out security requirements governing applications that enable a mobile device to accept payments from customers using contactless-enabled EMV chip cards, smart phones, or wearables. Under development since June 2018, CPoC includes a program for vendors to get their payment applications tested and validated.
CPoC applies to NFC-based contactless payments in which the off-the-shelf phone or tablet does not use hardware such as a card-reading dongle. The Wakefield, Mass.-based PCI Council, which sets industrywide rules for secure acceptance of general-purpose credit and debit cards, years ago introduced a set of rules for contactless payments with purpose-built payment devices called the PCI PIN Transaction Security Point of Interaction (PCI PTS POI) Standard.
In addition, vendors already provide secure software-based PIN entry on COTS (SPoC) applications that require a dongle and enable customers to enter a PIN on a merchant’s mobile device. The new CPoC standard does not permit software-based PIN entry and is meant for tap-and-go payments.
‘Little Squiggly Thing’
While contactless has only an estimated single-digit share of U.S. card payments, tap-and-go is expected to grow fast as issuers begin to crank out dual-interface EMV chip cards. These cards not only can be dipped into a point-of-sale terminal, as most EMV cards function today, but also tapped because they have an antenna for NFC contactless transactions.
Visa Inc. said there were 100 million contactless-enabled Visa cards floating around the U.S. in late 2019, and the network expects 300 million by the end of this year.
Meanwhile, 84.5% of U.S. adults now have a smart phone, according to Marlborough, Mass.-based research firm Mercator Advisory Group Inc. And the vast majority of smart phones today come with NFC, says Peter Reville, director of primary research services at Mercator.
The dominance of smart phones is helping the NFC-based Apple Pay, Google Pay, and Samsung Pay mobile-payment services to finally gain some traction years after their introduction. And wearables are getting into the NFC payments act with the spread of Apple Inc.’s Watch and wristbands and other devices from FitBit and other manufacturers.
“The PCI CPoC initiative is part of the Council’s mission to enhance global payment-account data security by developing standards and programs that support secure payment acceptance in new and emerging payment channels,” the PCI Council said in a blog post. “Ultimately, the PCI CPoC standard and program will lead to more options for merchants to accept contactless payments in a secure manner.”
Ron van Wezel, a Netherlands-based senior analyst for Boston-based research firm Aite Group LLC, says Visa and Mastercard Inc. have tested NFC payments on COTS devices in the United Kingdom and Poland.
“This is the next step in the evolution to what I call ‘SoftPOS’—payment-acceptance solutions at the point of sale that are entirely software-based,” van Wezel says by email. “Merchants would simply download an application to start accepting card payments.”
That end point, however, has not yet been reached.
“The new PCI standard does not allow for PIN entry on the COTS,” he says. “This means that contactless card acceptance on such devices is only possible for low-value payments under the contactless limit.”
In Europe, that limit currently is €25 ($27.73). But Apple Pay or Google Pay mobile payments can be used for any value because they use biometric cardholder verification, he notes.
So while the new PCI standard is good news for backers of contactless payments, it alone will not spur a massive expansion of tap-and-go, according to some observers. Critical to contactless growth is merchant and consumer education, says Mercator’s Reville, noting that too few consumers and store clerks know what the radio-wave symbol that identifies a contactless EMV terminal or card means.
“Just because you have that little squiggly thing on your card, do people know it,” he wonders. “They just don’t know.”
No Contactless Tsunami
Merchant processor Square Inc. launched a decade ago by catering to part-time sellers and tiny merchants ignored by most independent sales organizations and big merchant acquirers. Those small businesses today account for a declining share of Square’s payment volume as the company moves up-market, but there are still plenty of them.
And presumably a good number might be interested taking payments in accordance with the CPoC standard. Square declined comment for this story, however.
Payments consultant Patricia Hewitt, chief executive of Savannah, Ga.-based PG Research & Advisory Services, believes the new PCI CPoC standard “will lift some boats” in merchant adoption of contactless payments, particularly among very small businesses, in-house sellers, on-the-road salespeople and the like.
But she doesn’t predict a contactless tsunami. Beyond the placement, certification, and activation of contactless-accepting terminals, an important issue is reliable performance.
“The whole question around this is execution,” Hewitt says, adding that clerks too often have to tell customers the contactless function sometimes works and sometimes doesn’t. “That tends to suppress adoption.”
In the U.S., mass transit, a merchant category characterized by low-value payments but a pressing need for transaction speed, has emerged as the highest-profile venue for tap-and-go. But this category isn’t affected by the CPoC standard.
The New York City area’s Metropolitan Transportation Authority in early December activated 96 contactless card readers in Manhattan’s Penn Station, one of the nation’s busiest transit hubs. It’s part of the MTA’s quest to accept contactless payment cards and mobile-payment apps for fares across all of its vast subway and bus system by the end of 2020.
The MTA reported it had recently surpassed 4 million taps after beginning acceptance of contactless payments at limited locations in late May. By the end of December, all MTA-operated buses on Staten Island, two Staten Island Railway stations, and 85 of the MTA’s 472 subway stations were to have tap-and-go fare readers.
The contactless effort is part of the MTA’s OMNY project, which enables riders to pay fares with major-brand contactless credit and debit cards as well as Apple Pay, Google Pay, Samsung Pay, and FitBit Pay. In addition, OMNY will have its own virtual card and a physical contactless card set to launch in 2021. OMNY is replacing the MTA’s magnetic-stripe-based MetroCard, which debuted in 1994.
Still, some major payments players are optimistic CPoC will play an important role in developing part of the contactless-payment market.
“The PCI CPoC standard is expected to spur innovations to offer merchants more choice in contactless acceptance options, and reduce barriers to payment card acceptance, particularly in the smaller merchant community,” Linda Kirkpatrick, Mastercard’s executive vice president, U.S. merchants and acceptance, tells Digital Transactions by email.