Mobile pay, demystified

With Apple Pay and other secure mobile payment technologies set to hit the marketplace, credit cards and cash will soon be obsolete.

The ability to pay for things using your smartphone, tablet or smartwatch is the largest single disruptive technology to hit the retail business marketplace. It’s called secure mobile payment, and Apple Pay (see Cash, Credit or Cloud? May) appears to be the catalyst igniting market acceptance.

I thought I would do my bit to help demystify mobile payments by looking under the hood of these technologies. What are they? How do they work? Are they safe? Side note before I get going: secure mobile payments combine near-field communication (NFC) and tokenization with either a secure element or host card emulation (HCE).

NFC technology: This form of wireless communication allows devices in close proximity (within 4 cm to 5 cm) to share information with a wave or a tap. NFC is typically found in devices that can connect to the Internet. It falls into the same wireless technology as radio frequency identification (RFID), which uses radio signals for tagging and tracking. Examples of RFID include highway toll transponders, asset tags used for inventory control, hotel room keys and ID tags for pets.

The big difference between the two technologies is that while RFID devices are used as either a receiver or a transmitter, NFC-equipped devices can be both a receiver and a transmitter, allowing for near-field peer-to-peer two-way communication.

An NFC device’s main advantage is that it will transmit only to close proximity devices such as payment terminals. At first glance, it makes sense to add NFC to our smartphones so we only need to carry one thing rather than having credit, debit, loyalty and security access cards. Not surprisingly, the Samsung Galaxy S5, iPhone6 and Nokia Lumia feature NFC technology.

Problems arise with NFC’s second big advantage: its two-way communication capabilities. Do you really want to put all your account numbers on a device that communicates over the Internet? This is where tokenization comes into play.

Tokenization: If you know what a gambling chip is then you understand tokenization. Each chip is marked with the casino’s name and a number. The cashier verifies the name, notes the number and pays you based on the casino’s payment schedule.

Tokenization separates the number on the NFC device from your actual account number and other private information. The relationship between the token number and account number is maintained in secure cloud-based databases. Smart. Still, NFC did not gain wide acceptance in the payments arena because of security concerns and unethical hackers. This is where secure elements and HCE have changed the game.

Secure element and HCE: GlobalPlatform, a nonprofit secure chip technology standards-setting association, defines a secure element as a "tamper-resistant platform (a microcontroller) capable of hosting NFC applications and their confidential and cryptographic data." Apple Pay introduced this technology to its iPhone 6, iPad Air 2, iPad mini 3 and the Apple Watch.

HCE was introduced by Google. It allows the NFC protocol to be handled by its Android operating system with secure cloud-accessible data instead of with a local hardware-based secure element chip. This past December, RBC became the first financial institution in North America to launch a commercial implementation of mobile payments using HCE technology.

These combined technologies make sense. Our information is securely stored in the cloud, our token number is transmitted over short distances and we are comfortable with a secondary approval such as a PIN or fingerprint. More importantly, they work and I’m sure that within a year or two, it will be the dominant way to pay. Adios, cards and cash. Rest in peace, wallet.