ERPB/2015/016
Document ERPB CTLP 70-15
Version 1.1
Date: 5 November 2015
ERPB FINAL REPORT
MOBILE AND CARD-BASED CONTACTLESS
PROXIMITY PAYMENTS
Abstract
This document presents the final report on mobile and card-based
contactless proximity payments.
Document Reference
ERPB CTLP 70-15
Issue
Version 1.1
Date of Issue
5 November 2015
Reason for Issue
Final report to ERPB meeting 26 November 2015
Produced by
ERPB CTLP Working Group
2015-11-26 ERPB item 6 ERPB CTLP working group final report 2/66
Table of Contents
Executive Summary ................................................................................................................................ 4
0 Document information .................................................................................................................... 9
0.1 Structure of the document ........................................................................................................................ 9
0.2 References ............................................................................................................................................... 9
0.3 Definitions ............................................................................................................................................. 10
0.4 Abbreviations ........................................................................................................................................ 12
1 Scope ............................................................................................... ................................................ 13
2 Methodology .................................................................................................................................. 13
3 Vision .............................................................................................................................................. 14
4 Contactless and other proximity implementations in Europe .................................................. 14
4.1 Some “contactless” payment statistics .................................................................................................. 15
4.2 Some lessons learnt ............................................................................................................................... 20
5 Main barriers for the realisation of the vision ........................................................................... 21
5.1 Barriers for proximity payments ............................................................................................................ 22
5.1.1 Lack of a common (open) set of specifications and implementation guidelines for proximity
payments transactions ................................................................................................................................... 22
5.1.2 Lack of customer demand and contactless payment experience ................................................... 23
5.1.3 Lack of ubiquity of POIs ............................................................................................................... 24
5.1.4 Security and privacy ...................................................................................................................... 24
5.1.5 Consumer interaction with POI ..................................................................................................... 25
5.2 Additional barriers for mobile proximity payments .............................................................................. 26
5.2.1 Fragmented and immature mobile technology landscape.............................................................. 26
5.2.2 Complexity and security of mobile devices ................................................................................... 27
5.2.3 Lack of ubiquity of appropriate mobile devices ............................................................................ 28
5.2.4 Mobile competitive landscape ....................................................................................................... 28
5.2.5 Regulatory framework ................................................................................................................... 29
5.2.6 Complexity of mobile ecosystem .................................................................................................. 31
6 Recommendations and guidelines ............................................................................................... 32
Annex 1: Mandate of the ERPB Working Group on mobile and card based contactless proximity
payments ................................................................................................................................................ 38
Annex 2: Composition of the ERPB Working Group on mobile and card based contactless
proximity payments .............................................................................................................................. 40
Annex 3: Template of the survey on mobile and card based contactless proximity payments ..... 42
Annex 4: Outcome on barriers identified through the survey .......................................................... 48
Annex 4.1 Common barriers ............................................................................................................................. 48
Annex 4.2 Additional barrier for contactless card payments ............................................................................ 50
Annex 4.3 Additional barriers for mobile proximity payments ........................................................................ 50
Annex 5: Legal and regulatory documents impacting mobile and card-based contactless
proximity payments in Europe ............................................................................................................ 54
Annex 6: Technical and security reference documents related to mobile and card-based
contactless proximity payments ........................................................................................................... 56
Annex 7: Country profiles .................................................................................................................... 65
Annex 7.1 Poland .............................................................................................................................................. 65
Annex 7.2 UK ................................................................................................................................................... 65
Annex 8: Impact analysis of IF Regulation on contactless payments .............................................. 66
2015-11-26 ERPB item 6 ERPB CTLP working group final report 3/66
List of tables
Table 1: Recommendations ....................................................................................................................... 8
Table 2: References ................................................................................................................................. 10
Table 3: Terminology.............................................................................................................................. 12
Table 4: Abbreviations ............................................................................................................................ 13
Table 5: Definition of levels of card transactions per country ................................................................ 15
Table 6: Card transactions per country ................................................................................................... 16
Table 7: Contactless transactions penetration (Q2 2015) ....................................................................... 17
Table 8: Definition of country clusters for contactless payments ........................................................... 18
Table 9: Country clusters for contactless payments ................................................................................ 19
Table 10: Contactless infrastructure penetration (Q2 2015) ................................................................... 20
Table 11: Recommendations ................................................................................................................... 36
Table 12: Guidelines for the country clusters ......................................................................................... 37
Table 13: ERPB WG participants ........................................................................................................... 41
Table 14: Barriers for card and mobile proximity payments .................................................................. 50
Table 15: Additional barrier for contactless card payments ................................................................... 50
Table 16: Additional barriers for mobile proximity payments ............................................................... 53
Table 17: Legal and regulatory documents ............................................................................................. 55
Table 18: Mobile Payment Architectural Zones (courtesy EMVCo) ..................................................... 56
Table 19: Technical and security reference documents .......................................................................... 64
2015-11-26 ERPB item 6 ERPB CTLP working group final report 4/66
Executive Summary
This final report provides the outcome of the work conducted by the ERPB Working Group on mobile
and card based contactless proximity payments from January 2015, following the mandate given by
the ERPB meeting in December 2014 (see Annex 1), until November 2015.
In order to gain a better insight into these types of payments, the Working Group decided to conduct a
landscaping exercise through a survey amongst Working Group participants. The survey focused on
the existing or planned mobile and card based contactless proximity payment solutions; on the
appropriate technical and security specifications and guidelines, on the related existing and planned
regulations and recommendations and last but not least on the issues and barriers that may prevent the
development and the adoption of pan-European solutions for these types of payments.
The survey results highlighted that the market is fragmented in terms of maturity of the contactless
solutions adoption and the related technical standards implementations. Likewise, the mobile
proximity payments environment shows strong complexities, mainly related to the usage of different
technologies and the large number of business stakeholders involved in the mobile ecosystem.
Based on the results of the survey and subsequent inputs received, the Working Group specified an
overall vision for these payments in the European Union. It further derived from the survey the barriers
and gaps which need to be addressed towards the realisation of that vision. The feedback, based on the
49 inputs received may be found in Annex 4, with an indication if they are in the competitive or
cooperative space. The Working Group subsequently identified and prioritised a number of main
barriers and gaps. For each prioritised barrier, this report provides an issue description based on the
inputs received as well as related key observations made through an analysis by the Working Group.
These have formed the basis for the development of the following recommendations, to be taken in
order for the essential conditions in the cooperative space to materialise towards the realisation of the
vision.
# Addressee(s) Rationale Recommendations Deadline
A
EMVCo
Multiple
standards with a
variety of options
are currently
present in the
market. The
rationale is to
streamline the
standards used in
the industry.
i. Speed up the creation of a single
common POI kernel specification
for contactless (already planned
under Next Generation) and make
the specifications publicly available
as soon as possible.
ii. Limit the number of terminal
configuration options into the EMV
Next Generation specifications, in
order to allow consistency among
implementations and therefore
provide consumers a streamlined
payment experience across
different terminals.
iii. Include in the Next Generation
specifications a parameter that
would allow the identification of
the latest
Dec 2016
2015-11-26 ERPB item 6 ERPB CTLP working group final report 5/66
the form factor of the consumer
device used for the initiation of the
contactless transaction.
B
Card Scheme
Sector
Aligned Card
Scheme
requirements and
the promotion of
the adoption of
open protocols in
the POI domain
will ease the take
up of contactless
payments.
i. Define an aligned European
mandate for the implementation of
contactless enabled POIs including
a specification of where they
should be available. The ECB
should act as facilitator for this.
ii. Harmonise the level of transaction
limits at POI at country level for
payments per use case / payment
context.
iii. Request the usage of open
protocols in the POI domain and
the POI to Acquirer domain which
are compliant to the Cards
Standardisation Volume and
labelled by the Cards Stakeholders
Group.
iv. Mandate a common
implementation plan for the
EMVCO Next Generation
specifications with an appropriate
migration period
1
.
mid 2016
on-going
mid 2017
Dec 2017
C
Cards
Stakeholders
Group
The
standardisation of
open
specifications for
a card and mobile
contactless
payment
application, could
allow payment
application
developers and
card
manufacturers to
reach economy of
scales and would
i. Develop common requirements for
contactless transactions for
inclusion in the Cards
Standardisation Volume Version 8.
ii. Conduct a feasibility study on the
development of open specifications
for a card and mobile contactless
payment application, their
implementation, maintenance and
testing. For mobile applications, the
open specifications should also
address the different possible
configurations for the management,
provisioning and personalisation of
the card data: Secure Element
Dec 2016
Dec 2016
1
This would also cover the identification of the form factor used for the initiation of the contactless transaction,
see Recommendation A.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 6/66
lower the cost of
these items for the
Issuers, fostering
contactless
adoption.
The specification
of common POI
implementation
guidelines will
lead to a more
uniform payment
experience, for
both the
consumer and
merchant
(UICC, Embedded, SD Card) and
HCE. The future specifications
should leverage the work of
EMVCo and Global Platform.
iii. Develop use cases/payment
contexts for contactless payments
(card and mobile based) for
integration in Cards
Standardisation Volume Version 8.
iv. Develop POI implementation
guidelines including common
minimum requirements for
contactless POIs (both for the
payment process side and for the
consumer/POI interface) hereby
leveraging the EMVCo work and
addressing the requirements of
disabled people associations.
Adequate usage of available input
should be made (see for instance
[DNF1], [EAN1], [GIRO1] and
[UKC2] in Annex 6).
Dec 2016
Dec 2016
D EPC,
Consumer
and Retailers
Associations
Enhance society
awareness on
contactless
payments
Coordinate in co-operation with the Card
Schemes an institutional communication
campaign of the ERPB members to
increase the familiarity with contactless
payment products (card and mobile based).
The communication campaign should
result in the creation and distribution of
informative material on contactless
payment solutions and their usage to all the
ERPB members and affiliates. Moreover
ERPB members and the ECB are requested
to make the informative material produced
available on their websites.
This communication material should
include the following topics:
how to use contactless (both from a
consumer and a retailer
perspective);
highlight the improved payment
experience for the consumers;
choice of application for
mid 2016
2015-11-26 ERPB item 6 ERPB CTLP working group final report 7/66
contactless payments;
explain the benefits of using
contactless;
address consumer concerns
(privacy, safety, security, freedom
of choice, etc…);
training material for retailer staff.
E
Public
Admin. and
Transport
Sector where
card
payments are
suitable
The adoption of
contactless
payments by
certain sectors has
proven to be an
important catalyst
and is even
critical for their
take-up in various
countries.
Prioritise the installation and use of POI
terminals which are enabled to accept
EMVCo based contactless transactions.
on-going
F
ETSI
The
standardisation of
a generic secure
platform for the
mobile device and
of complementary
processes will
contribute to the
cost-effectiveness
with respect to the
development,
certification and
implementation of
mobile proximity
payment services.
i. Agree and put forward the
development of the specifications
of a “Smart Secure Platform”
(enabling the provision of value-
added services relying on
authentication of the user,
regardless of the mobile device,
communication channel and
underlying technology) taking into
account the requirements for
mobile payments, hereby
leveraging work already done by
EMVCo and Global Platform.
ii. Develop implementation guidelines
thereby leveraging work already
done by Global Platform that
define:
o a process to provide the
service providers with the
credentials to have access to
secure elements
o a process that allows a
service provider to be
authenticated, to securely
get the credentials to access
mobile device’s hardware
White paper
mid 2016
Specific.
Dec 2017
Dec 2016
2015-11-26 ERPB item 6 ERPB CTLP working group final report 8/66
vaults (e.g. the secure
element) and to
communicate with these
vaults.
G
Mobile
Payment
Providers
Promote the
usage of a generic
secure platform
for the mobile
device
Require the mobile devices to be qualified
according to the future work developed by
the ETSI “Smart Secure Platform” (see
Recommendation F).
Dec 2018
H
GSMA Provide clarity on
NFC enabled
mobile device
evaluation /
certification
processes
i. Develop an overview paper on the
functional and security evaluation /
certification of NFC enabled
mobile devices (covering all
aspects and configurations #SE
types, HCE, TEE, etc…) in co-
operation with Global Platform and
EMVCo. More in particular issues
related to contactless interference
issues should be addressed.
ii. Encourage European MNOs to
promote the sales of NFC enabled
equipment.
mid 2016
on-going
I
Mobile
Device
Manufacturer
s, Mobile OS
Developers
and GSMA /
MNOs
Consumer
independence of
mobile device for
the freedom of
choice on mobile
contactless
payment services
Provide access to the mobile device
contactless interface in order to ensure that
the consumer can have a choice amongst
payment applications from different
mobile payment providers, independently
of the mobile device and the operating
system used.
on-going
J
European
Commission,
Regulators
and the Cards
Stakeholders
Group
Address legal
issue for the
potential negative
impact it could
have on the take-
up of contactless
payments
To work together to ensure a consistent
understanding on “the choice of
application” in the IF Regulation (see [8])
and to address the impact that it could have
on contactless payments. Hereby the
impact analysis undertaken by the Cards
Stakeholders Group (see Annex 8) should
be taken into account.
mid 2016
Table 1: Recommendations
2015-11-26 ERPB item 6 ERPB CTLP working group final report 9/66
0 Document information
0.1 Structure of the document
This section describes the structure of this final report. Section 0 provides the definitions, and
abbreviations used in this document. The scope of the work is provided in section 1. Section 2 contains
a description of the methodology and survey used to gather the information represented in this report.
The vision for mobile and card-based contactless proximity payments is specified in Section 3. Section
4 portrays the current situation with respect to the actual implementations or planned implementations
of these types of payments through the description of country clusters. Section 5 is devoted to the
description of the barriers and gaps prioritised by the ERPB Working Group which were identified
through the survey. It further contains key observations related to these barriers which have been used
as basis to specify the recommendations presented in Section 6.
Annex 1 presents the ERPB Mandate while Annex 2 shows the composition of the ERPB Working
Group. The survey used for the preparation of this report is provided in Annex 3. Annex 4 represents
the outcome on the barriers and gaps identified through the survey. Annex 5 lists the legal and
regulatory requirements identified which impact these payments while Annex 6 provides the technical
and security references for these payments. Annex 7 provides some country profiles as typical
examples for the implementation of contactless payments. Annex 8 provides the outcome of the impact
analysis of the IF Regulation on contactless payments conducted by the Cards Stakeholders Group.
0.2 References
This section lists the references mentioned in this document. Square brackets throughout this document
are used to refer to a document of this list.
[1]
EMVCO specifications
http://www.EMVCo.com
[2]
Global Platform
TEE System Architecture
http://www.globalplatform.org/
[3]
ISO/IEC 14443: Identification cards -- Contactless integrated circuit cards --
Proximity cards – Parts 1-4.
http://www.iso.org
[4]
ISO/IEC 18092: Information technology -- Telecommunications and
information exchange between systems -- Near Field Communication --
Interface and Protocol (NFCIP-1).
http://www.iso.org
[5]
ISO 20022: Financial Services - Universal financial industry message scheme –
Parts 1-8.
http://www.iso.org
[6]
Payment Services Directive
Directive 2007/64/EC of the European Parliament and of the Council of 13
November 2007 on payment services in the internal market.
[7] Payment Service Directive 2
Ref. Title
2015-11-26 ERPB item 6 ERPB CTLP working group final report 10/66
Draft Directive of the European Parliament and of the Council on payments
services in the internal market and amending Directives 2002/65/EC,
2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
[8]
IF Regulation
Regulation (EU) 2015/751 of the European Parliament and of the Council of 29
April 2015 on interchange fees for card-based payment transactions.
Table 2: References
0.3 Definitions
The following terminology is applied in this document. The abbreviations used may be found in
section 0.4.
Term Definition
2D barcodes
A two dimensional barcode is a machine-readable optical label that
contains digital information. They are also referred to as matrix
barcodes. Examples include QR codes and tag barcodes.
Acquirer
A PSP or one of their agents that enters into a contractual relation with a
merchant and an issuer via the card payment scheme, for the purpose of
accepting and processing card transactions.
Authentication
The provision of assurance of the claimed identity of an entity or of data
origin.
Bluetooth low energy
(BLE)
A wireless personal area network technology designed and marketed by
the Bluetooth Special Interest Group aimed at novel applications
including beacons. Compared to classic Bluetooth, BLE is intended to
provide considerably reduced power consumption and cost while
maintaining a similar communication range.
Card Payment Scheme A card payment scheme is a technical and commercial arrangement
(often referred to as the “rules”) between parties in the card value chain,
resulting in a set of functions, procedures, arrangements, rules and
devices that enable a consumer (cardholder) to perform a payment
transaction, and/or cash withdrawal or any other card service. The
members of the card scheme can issue or acquire transactions performed
within the scheme.
Consumer
A natural person who, in payment service contracts covered by the [6],
is acting for purposes other than his trade, business or profession (as
defined in [6]).
Consumer Verification
Method
A method for checking that a consumer is the one claimed.
Contactless Technology
A radio frequency technology operating at very short ranges so that the
user has to perform a voluntary gesture in order that a communication is
initiated between two devices by approaching them. It is a (chip) card or
mobile payment acceptance technology at a POI device which is based
on ISO/IEC 14443 (see [3]).
Contactless Card
Payment
A card based proximity payment where the payer and the payee
communicate directly using contactless technologies.
Customer
A consumer or a merchant.
Credential(s)
Payment account related data that may include a code (e.g., mobile
code), provided by the issuer to their customer for
2015-11-26 ERPB item 6 ERPB CTLP working group final report 11/66
identification/authentication purposes.
Digital wallet
A service accessed through a consumer device which allows the wallet
holder to securely access, manage and use a variety of
services/applications including payments, identification and non-
payment applications. A digital wallet is sometimes also referred to as
an e-wallet.
EMVCo
An LLC formed in 1999 by Europay International, MasterCard
International and Visa International to enhance the EMV Integrated
Circuit Card Specifications for Payments Systems. It manages,
maintains, and enhances the EMV specifications jointly owned by the
payment systems. It currently consists of American Express, Discover,
JCB, MasterCard, Union Pay and VISA (see [1]).
Host Card Emulation
(HCE)
A technology that enables mobile devices to emulate a contactless card.
HCE does not require the usage of a secure element for storage of
sensitive data such as credentials, cryptographic keys, …
Issuer
A PSP or one of their agents that supplies the card payment account and
the card services (including card data) to the cardholder, and is a
member of a card payment scheme.
The Issuer enters into a contractual relationship with a consumer
(cardholder) and guarantees payment to the acquirer for transactions that
are in conformity with the rules of the relevant card payment scheme.
Merchant
The beneficiary within a mobile payment scheme for payment of goods
or services purchased by the consumer/payer. The merchant is a
customer of its PSP.
Mobile code
A user verification method used for mobile card payments. It is a code
entered via the keyboard of the mobile device to verify the cardholder’s
identity as a cardholder verification method.
Mobile Contactless
Payment (MCP)
A mobile proximity payment where the payer and the payee
communicate directly using contactless technologies.
MCP application
An application residing in a secure environment performing the payment
functions related to a Mobile Contactless Payment (MCP), as specified
by the MCP application issuer in accordance with the payment scheme.
Mobile device
Personal device with mobile communication capabilities such as a
telecom network connection, Wi-Fi, Bluetooth … which offers
connections to internet.
Examples of mobile devices include mobile phones, smart phones,
tablets.
Mobile Network
Operator (MNO)
A mobile phone operator that provides a range of mobile services,
potentially including facilitation of NFC services. The MNO ensures
connectivity Over the Air (OTA) between the consumer and its PSP
using their own or leased network.
Mobile payment service
Payment service made available by software/hardware through a mobile
device.
(Mobile) proximity
payment
A (mobile) payment where the consumer and the merchant (and/or their
equipment) are in the same location and where the communication
between the consumer device (card or mobile device) and the Point of
Interaction device takes place through a proximity technology (e.g.,
contactless including NFC, 2D barcodes, BLE, etc.). (Mobile) proximity
payments include but are not limited to (mobile) contactless payments.
Contact card payments are excluded.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 12/66
Mobile service
Service such as identification, payment, ticketing, loyalty, etc., made
available through a mobile device.
Mobile wallet
A digital wallet accessed through a mobile device. This service may
reside on a mobile device owned by the consumer (i.e. the holder of the
wallet) or may be remotely hosted on a secured server (or a combination
thereof) or on a merchant website. Typically, the so-called mobile wallet
issuer provides the wallet functionalities but the usage of the mobile
wallet is under the control of the consumer.
NFC (Near Field
Communication)
A contactless protocol specified by ISO/IEC 18092 [4].
Payment account
Means an account held in the name of one or more payment service
users which is used for the execution of payment transactions (see [6]).
Payment Service
Provider
The bodies referred to in Article 1 of the [6] and legal and natural
persons benefiting from the waiver under Article 26 of the [6].
Payment transaction
An act, initiated by the consumer of placing, transferring or withdrawing
funds (as defined in [6]).
POI device
“Point of Interaction” device; the initial point where data is read from a
consumer device or where consumer data is entered in the merchant’s
environment. As an electronic transaction-acceptance product, a POI
consists of hardware and software and is hosted in acceptance
equipment to enable a consumer to perform a payment transaction. The
merchant controlled POI may be attended or unattended. Examples of
POI devices are Point of Sale (POS), vending machine, Automated
Teller Machine (ATM).
Secure Element (SE)
A certified tamper-resistant platform (device or component) capable of
securely hosting applications and their confidential and cryptographic
data (e.g., key management) in accordance with the rules and security
requirements set forth by a set of well-identified trusted authorities.
Examples include universal integrated circuit cards (UICC), embedded
secure elements, chip cards and secure digital cards.
Secured Server
A web server with secure remote access that enables the secure storage
and processing of payment related data.
Trusted Execution
Environment (TEE)
An execution environment (as defined by Global Platform, see [2]) that
runs alongside, but isolated from a main operating system. A TEE has
security capabilities and meets certain security-related requirements: it
protects TEE assets from general software attacks, defines rigid
safeguards as to data and functions that a program can access, and resists
a set of defined threats.
User Interface (UI)
An application enabling the user interactions.
Table 3: Terminology
0.4 Abbreviations
Abbreviation Term
2D barcode
Two dimensional barcode
BLE
Bluetooth Low Energy
C2B
Consumer-to-Business
C2C
Consumer-to-Consumer
ETSI
European Telecommunications Standards Institute
2015-11-26 ERPB item 6 ERPB CTLP working group final report 13/66
GP
GlobalPlatform
GSMA
The GSM Association
HCE
Host Card Emulation
HSM
Hardware Security Module
MCP
Mobile Contactless Payment
MNO
Mobile Network Operator
NFC
Near-Field Communications
OS
Operating System
OTA
Over the Air
POI
Point of Interaction
PSD
Payment Services Directive
PSP
Payment Service Provider
QR code
Quick Response code
SE
Secure Element
TEE
Trusted Execution Environment
UI
User Interface
Table 4: Abbreviations
1 Scope
The scope for this report on mobile and card based contactless proximity payments was specified in
the mandate given in December 2014 by the ERPB (see Annex 1) to the dedicated Working Group
(see Annex 2 for its composition).
The main goal is to address issues related to the muted take up of mobile and card based contactless
proximity payments. Several innovative payment solutions rely on contactless technologies to perform
payments or on proximity technologies to initiate payments. They usually provide a more convenient
user experience at the point of interaction (POI) and a substantially faster check-out. Even though
these types of payments are still at an early stage of development, there is already a trend towards
setting standards that differ across schemes, devices and countries. The purpose of the work it to
analyse existing solutions and standards (both national and international) and assess to what extent
there are differences in standards and technical implementation preventing interoperability at pan-
European level.
This final report contains a vision for mobile and card based contactless proximity payments in the
European Union, the analysis of the market conditions and a set of recommendations. These
recommendations identify concrete actions to be taken in the cooperative space in order to realise the
essential conditions to materialise the vision.
2 Methodology
Throughout the first semester of 2015 the participants to the ERPB Working Group on mobile and card
based contactless proximity payments gathered and analysed information related to these payments. A
dedicated survey (see Annex 3) amongst the participants of the Working Group was organised to
collect this information.
The aim of this survey was to provide input on the following topics:
2015-11-26 ERPB item 6 ERPB CTLP working group final report 14/66
A. Existing or planned mobile and card based contactless proximity payment solutions;
B. Existing or planned white papers and technical and security specifications / standards
related to mobile and card based contactless proximity payments;
C. Existing or planned regulations and recommendations / guidelines on mobile and card
based contactless proximity payments, including security and privacy aspects;
D. Issues or barriers that may prevent the development of pan-European solutions.
In total 57 responses to the survey have been received, representing 25 countries both from the demand
and the supply side. The input received on existing and planned mobile and card based contactless
proximity implementations is reflected in section 4.
Based on the inputs received, the Working Group specified an overall vision for mobile and card based
contactless proximity payments in the European Union which is presented in section 3. It further
derived from the survey the barriers and gaps which need to be addressed towards the realisation of
that vision. The feedback, based on the 49 inputs received on the barriers and gaps identified through
this survey, is contained in Annex 4, with an indication if they are in the competitive or cooperative
space. The Working Group subsequently prioritised a number of main barriers and gaps and specified
for each barrier related key observations (see section 5). These barriers and key observations have
formed the basis to develop concrete recommendations including guidelines and actions to be taken in
order for the essential conditions in the cooperative space to materialise towards the realisation of the
vision.
3 Vision
The Working Group defined the vision for mobile proximity and card based contactless payments in
the European Union as follows:
“To ensure over time, across Europe, a secure, convenient, consistent, efficient and trusted payment
experience for the customer (consumer and merchant) for retail transactions at the Point of
Interaction (POI), based on commonly accepted and standardised contactless and other proximity
payment technologies.”
This vision is based on the following guiding principles:
Technical interoperability of contactless and other proximity transactions across Europe (based
on common technical, functional and security standards and certification / evaluation
framework) both for consumer devices (cards, mobile devices, wearables, …) and POIs;
Wide availability and usability of appropriate POI equipment and consumer devices;
Appropriate security and privacy to build up and maintain trust.
This should lead to an enhanced payment experience - faster check out, user-friendliness, better
integration of value added services with payment - and to cost-effectiveness for Society.
4 Contactless and other proximity implementations in Europe
This section portrays the current situation with respect to the actual implementations of mobile and
card based contactless payments through the description of country clusters. Focus has been given to
this type of payments since they appear to be the most mature proximity payments in the market.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 15/66
However, it should be noted that different countries have also implemented other types of proximity
payments, mostly based on QR codes, however, most of them appear to be closed, proprietary
solutions which do not operate cross-border.
4.1 Some “contactless” payment statistics
Given that the European market shows a heterogeneous level of consumer adoption of electronic
payment instruments across countries and, considering as well that different paces and approaches are
noted for the adoption of contactless payments, the present report presents a European payment market
analysis conducted at country level, where fewer differences occur.
With the objective to streamline the definition of guidelines and strategies aimed to expand the usage
of mobile and card based contactless payments, the WG identified groups of countries that show
similar levels of usage of contactless payment solutions and defined them as country clusters. The
criteria adopted to define these country clusters are the usage of card payments and the presence and
usage of contactless solutions (mainly card based). The WG used both the ECB payment statistics data
and the contributions of their participants.
As the level of presence of card payments in a country was identified as an important factor with
respect to the possible take-up of contactless payments in view of the existing card payment
infrastructure and customer habituation (consumer and merchant), a first criterion which was analysed
was the number of card
2
payment transactions. Hereby, three segments were defined in relation to this
criterion, namely “low”, “medium” and “high” as follows:
Level Number of card transactions per capita
Low
< 75 transactions per year (an average of circa 1,5 transactions per week)
Medium
between 75 and 150 transactions per year (an average of between 1,5 and 3
transactions per week)
High
> 150 transactions per year (an average of more than 3 transactions per week)
Table 5: Definition of levels of card transactions per country
The table below summarises the result of the segmentation exercise based on the 2014 figures
provided by the ECB for the first criterion.
2
Debit, Credit, Deferred debit.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 16/66
Table 6: Card transactions per country
As second criterion the total numbers of contactless transactions versus the total numbers of face to
face card transactions were analysed, defining a penetration percentage per country. Four segments
were defined in relation to this criterion as shown in the table below whereby every country was
classified in accordance to the data gathered from the ERPB WG participants.
The table below summarises the result of the segmentation exercise based on the second criterion.
Refyear
2014
Population
(million)
TotalCard
Transactions
(million)
Card
Trans a ctions
percapita
(units)
Level
Austria 9 559 65 low
Belgium 11 1,508 135 medium
Bulga ria 7 65 9 low
Czech 11 484 46 low
Denmark 6 1,516 269 high
Germany 82 3,335 40 low
Estonia 1 247 187 high
Ireland 5 435 94 medium
Greece 11 88 8 low
Spain 46 2,760 59 low
France 66 9,438 143 medium
Croatia 4 218 51 low
Italy 61 2,034 33 low
Cyprus 1 40 47 low
Latvia 2 191 96 medium
Lithuania 3 172 59 low
Luxembourg 1 102 182 high
Hungary 10 359 36 low
Malta 0 19 45 low
Netherlands 17 3,169 188 high
Norway 5 1,890 369 high
Poland 38 1,873 49 low
Portugal 10 1,274 123 medium
Romania 20 228 11 low
Slovenia 2 140
68 low
Slova kia 5 273 50 low
Finland 5 1,331 244 high
Sweden 10 2,620 270 high
UK 65 13,010 201 high
2015-11-26 ERPB item 6 ERPB CTLP working group final report 17/66
Table 7: Contactless transactions penetration (Q2 2015)
The combination of these two indicators can be used to define five different clusters of countries with
respect to the take-up of contactless payments. The clusters identified are labelled as follows:
“Developed”, “In development”, “Movers”, “Slow movers” and “Last Movers”. The table below
provides a brief description of the different clusters.
TransactionPenetration
<3%
TransactionPenetration
3%‐9%
TransactionPenetration
10%‐50%
TransactionPenetration
>50%
Markets Belgium
Bulgaria
Cyprus
Denmark
Estonia
Finland
Germany
Greece
Italy
Latvia
Lithuania
Luxemburg
Malta
Norway
Portugal
Romania
Slovenia
Sweden
Austria
Croatia
France
Ireland
Netherlands
Spain
Hungary
Poland
Slovakia
UK
CzechRepublic
2015-11-26 ERPB item 6 ERPB CTLP working group final report 18/66
Labels Country cluster description
Developed
The consumers in the countries assigned to this cluster present a
consolidated usage of contactless payments. These markets are pioneering
the payment innovation and the consumer adoption of contactless payments
is massive. It is driving a consistent increase in the total number of card-
based transactions.
In development
The consumers in the countries assigned to this cluster present a medium
usage of contactless payment and the market stakeholders are actively
pursuing the implementation of contactless solutions despite the fact that
consumers in these payment markets are not strongly accustomed to using
card payments. Consumer adoption of contactless payments is often mainly
concentrated in metropolitan areas. It is driving a noticeable increase in the
total number of card-based transactions.
Movers
The consumers in the countries assigned to this cluster present a medium
level of usage of contactless payments in a market where consumers are
already accustomed to using card payments. Consumer adoption of
contactless payments is increasing fast and is driving a consistent increase
in the total number of card-based transactions.
Slow movers
The consumers in the countries assigned to this cluster present a low level
of usage of contactless payments. On the other hand these markets are
among the most developed in terms of card and electronic payments usage.
The introduction of contactless solutions has not been recognised yet as a
factor for further development of consumer payment behaviour.
Last Movers
The consumers in the countries assigned to this cluster present a low level
of usage of contactless payments in a market that is also less developed in
terms of card payments usage. The introduction of contactless solutions
might be a factor for further development of consumer payment behaviour
and number of card-based transactions.
Table 8: Definition of country clusters for contactless payments
The next table presents the result of the clusterisation analysis of country markets based on the
previously defined labels in Table 8 and using the criteria of Tables 6 and 7:
2015-11-26 ERPB item 6 ERPB CTLP working group final report 19/66
Table 9: Country clusters for contactless payments
An additional indicator for the take-up of contactless payments is the proportion of contactless cards
and active contactless enabled POIs versus the total number of cards and POIs. The table below shows
the actual contactless infrastructure penetration grid based on Q2 2015 figures obtained from the
ERPB WG participants.
Contactlesspaymentsusage(2015)
Cardpaymentsusage(2014)
>50% CzechRepublic
Between10%and50%
Hungary
Poland
Slovakia
UK
Between3%and9%
Austria
Croatia
Spain
France
Ireland
Netherlands
<3%
Bulgaria
Cyprus
Germany
Greece
Italy
Lithuania
Malta
Romania
Slovenia
Belgium
Latvia
Portugal
Denmark
Estonia
Finland
Luxemburg
Norway
Sweden
Low Medium High
Developed
In development
Movers
Slowmovers
Lastmovers
2015-11-26 ERPB item 6 ERPB CTLP working group final report 20/66
Issuance penetration: percentage of contactless enabled cards within all cards issued
Acceptance penetration: percentage of activated contactless enabled POIs within all POIs
Table 10: Contactless infrastructure penetration (Q2 2015)
4.2 Some lessons learnt
Next to the statistics provided in the previous section, it is also interesting to have a closer look to
some specifics of countries which have introduced contactless payments over the past years. As an
example, a closer analysis has been made on Poland and the UK with the purpose to derive some key
findings with respect to increasing the speed of the introduction and usage of contactless payment. A
detailed description of these two country profiles may be found in Annex 7.
The key findings derived may be described as follows
The importance of central coordination in the country:
The central coordination between the different (even competing) stakeholders involved, in the
launch of a pilot and further roll-out of contactless payments has played a key role in the
smooth implementation in certain countries. It has allowed for a more consistent customer
experience, a coordinated retailer approach, issuance of supporting documentation at country
level (e.g. the UK guidelines for POIs, see [UKC2] in Annex 6), the prompt common handling
of issues detected, and last but not least cost-effectiveness.
The contactless transaction amount limit:
The common agreement by all stakeholders involved in the market roll-out of contactless
payments in a country on the transaction amount limit without the presentation of a consumer
verification method (e.g. PIN or mobile code) and subsequent monitoring on the transaction
behaviour and impact has proven to considerably influence the take-up of contactless
payments. As an example, the UK has increased the transaction amount limit for a third time.
Contactlesscards Lowacceptance
penetration(<10%)
Mediumacceptance
penetration(10%‐50%)
Highacceptance
penetration(>50%)
Highissuance
penetration(>50%)
Austria
France
Ireland
Netherlands
CzechRepublic
Poland
Slovakia
Mediumissuance
penetration(10%‐49%)
Denmark
Luxembourg
Portugal
Norway
Bulgaria
Croatia
Cyprus
Finland
Germany
Greece
Italy
Romania
Slovenia
Hungary
Spain
UK
Lowissuancepenetration
(<10%)
Belgium
Latvia
Sweden
2015-11-26 ERPB item 6 ERPB CTLP working group final report 21/66
In Poland only recently transactions above the limit can be conducted contactless with the
presentation of a consumer verification method (e.g. PIN at POI or mobile code at mobile
device) where before a contact card transaction was required.
The involvement of certain sectors: large retail stores, transport/transit sector:
The take-up of contactless payments by major retailers (e.g. groceries) and the transit sector has
given a great boost to contactless payments. Indeed, the fact that consumers daily make use of
these services has considerable contributed to their habituation to and embracement of
contactless technology. Moreover, the usage by the transit sector of EMV-based contactless
technology in certain countries like the UK, rather than developing their own solution, had a
direct impact on the usage scale of these payments and obviously led to cost-effectiveness.
Merchant staff training
The appropriate training of merchant staff is recognised as a key factor for the consumer
experience in the retail shops. Not only appropriate knowledge of how a contactless transaction
needs to be handled but also regular asking consumers to pay contactless should be part of the
staff education. This training could be accompanied by appropriate promotion campaigns (e.g.
“tap & go”).
Consumer communication and awareness
The combined usage of various means of communication to consumers is important. This could
include explaining the feature in the welcome call, in the welcome pack, statement insert, ATM
screens, dedicated campaigns to support contactless payments and promotional messages
mainly for customer education where for instance the measured contactless speed and facts are
included.
5 Main barriers for the realisation of the vision
The survey reflected that nowadays the market has considerably matured with respect to card
contactless payments, largely based on the EMVCo specifications, while it appears to be still early
days for mobile proximity payments, including mobile contactless payments. Concerning the latter,
NFC seems to be the widest adopted technology nowadays for mobile proximity payments (in analogy
to contactless card payments) although also other technology solutions have been introduced to initiate
mobile proximity payments such as 2D barcodes, beacons, ... It should be noted that for the latter, the
underlying payment instrument may not be a card payment.
The survey highlighted the presence of barriers and gaps for the different types of payments in scope.
In view of their market maturity, less barriers and gaps have been identified for contactless card
payments compared to mobile proximity payments. It is generally expected that the creation of the
necessary conditions for removing these barriers might be easier for card based contactless payments
than for mobile based proximity payments.
Below in section 5.1 follows a list of the barriers which were prioritised as being valid for both
contactless card and mobile proximity payments, while section 5.2 presents a list of additional barriers
dedicated to mobile proximity payments.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 22/66
5.1 Barriers for proximity payments
5.1.1 Lack of a common (open) set of specifications and implementation guidelines
for proximity payments transactions
Issue description
The lack of a complete common set of (open) specifications and implementation guidelines for
proximity payment transactions, - both card and mobile device based - creates differences across
Europe in proximity payment products and in customer (both consumer and merchant) experience
which hinder technical interoperability and prevent cost-effectiveness for Society.
More in particular, the survey identified the following issues for mobile and card based EMV
contactless payments which should be addressed through standardisation work:
Multiplicity of acceptance implementation options creating issues at the POI (e.g. PIN on line
not supported, TAP + mobile code + TAP not supported, etc.);
Difference in implementation between online and offline transactions in different geographies
in Europe may lead to an inconsistent consumer experience (and missed business opportunities
for merchants and PSPs);
In addition, the following specific issues for standardisation (in random order) related to mobile
proximity payments were reported through the survey:
Lack of interoperability of existing acceptance infrastructure (accepting NFC and 2D barcodes
on the same POI).
Time at check-out with POI should be at least as fast as with a card payment;
Lack of standardisation in the payment initiation message for new proximity technologies such
as 2D barcodes
3
or BLE;
Lack of standards for the enrolling in digital wallets;
The absence of standard procedures to personalise card data into secure elements;
The presence of multiple consumer verification methods (no PIN, PIN at POI, mobile code,
fingerprint,…) leading to non-interoperable solutions and consumer confusion;
Co-existence of multiple mobile contactless payment applications on multiple secure elements,
cloud, host card emulation, etc. need to be addressed in a consistent manner to ensure optimal
consumer experience.
Key observations
Within the card and mobile based proximity payments environment, the standardisation work for EMV
contactless payments is already well-advanced and implemented, especially with regards to the
interaction between the POI and the consumer device (either card or mobile device). Some
improvements may be identified to further enhance the customer experience and solve some
interoperability issues as noted through the survey. On the opposite, for other proximity payment
techniques (such as 2D barcodes, BLE, etc.) there are no (open) common specifications yet and
existing proximity technologies and standards are not yet widely known in the payment industry.
The most prevalent technology on the market nowadays for contactless payments is based on NFC and
employs the EMVCo specifications (see [1]). EMVCo is already working on the next generation of
their specifications which aim to unify the requirements for all payment contexts, covering both
3
Note that the EPC published guidelines on the usage of QR codes for the initiation of a SEPA credit transfer (EPC 069-
12) but not for the specific usage in a mobile environment.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 23/66
contact and contactless card transactions through a single specification for the POI kernel (currently
multiple kernel specifications exist – to date 7 have been registered by EMVCo). The final version of
these specifications, referred to as “EMV Next Generation” are planned to be released by end 2016.
The implementation of EMV Next Generation specifications could be part of a solution to create a
level playing field through standardisation in the cards-to-POI and in the POI application domains.
This process might be further complemented with the development of common minimum security
requirements for the contactless payment application and of specifications for the POI-to-acquirer
domain, the latter being addressed by other organisations such as Nexo. The migration to a single
protocol in the POI-to-acquirer domain would allow moving away from domestic, proprietary
protocols which hinder cross-border interoperability and would result in an improved cost-
effectiveness. Simplifying the access to the card acquiring market via the standardisation of contactless
card environment related specifications enhances competition.
There are EMV and Global Platform specifications for personalising card data into secure elements
that could be referenced in a set of standard personalisation procedures.
The lack of commonality between EMV implementations within Europe (e.g. some countries support
online PIN, others do not) could be addressed through the development of implementation guidelines.
Complementary to the development of implementation guidelines specifications and requirements,
appropriate existing testing, evaluation and certification processes should be revisited and potentially
further developed to meet these new requirements which should be resulting in a “unified” certification
framework.
5.1.2 Lack of customer demand and contactless payment experience
Issue description
A lack of familiarity makes it difficult for customers (both consumers and merchants) to employ
contactless payments. Trust and confidence in these payments should be built by the industry
leveraging the advantages of these solutions. The multiple solutions that exist in contactless payment
products create some variations in the user experience. For example, different consumer devices can be
used to initiate a contactless transaction (card, mobile, sticker, key fob, watch, etc.) and POIs may have
different set-ups (see also section 3.5). Moreover, multiple consumer verification methods are
available (PIN on POI, mobile code on mobile device, biometrics on mobile device or absence of any
consumer verification methods, etc.). These variances contribute to the creation of a lack of clarity
with regards to contactless payments and a lack of trust both from consumers and merchants. This
affects the take-up of contactless payment products.
Key observations
Customers (both consumers and merchants) lack familiarity and trust with other form factors and
technologies than contactless cards. The customer experience could be improved by defining
standardised sets of rules and user interface requirements
4
for the different payment use cases and
merchant environments which ultimately may result in a more consistent user experience across SEPA
(see also section 5.1.5).
4
In analogy to the document developed by the UK Cards Association with MasterCard and Visa on a Contactless User
Interface for Europe and the UK, based on EMV Contactless Specifications for Payment Systems – Book A: Architecture
and General Requirements (see [1]).
2015-11-26 ERPB item 6 ERPB CTLP working group final report 24/66
Furthermore, the consumer awareness should be increased through communication activities (with
respect to liability, security, proximity habits, speed, etc.) by merchants and/or payment service
providers, but possibly also through multi-stakeholder generic commercials. A coordinated
communication effort by all stakeholders might effectively contribute to increasing the familiarity with
contactless payment products. This would promote the market take-up of these solutions.
Finally to enhance the trust and confidence, the consumer should be provided with an opt-out to
contactless products. How to achieve this is a PSP’s implementation option.
5.1.3 Lack of ubiquity of POIs
Issue description
The payments market is a two-sided market. This means that for a payment product to become
successful, it has to be frequently used by consumers on one side, but also widely accepted by
merchants on the other side. A large part of the POI terminals in Europe today is not equipped for
contactless transactions yet. The average merchant take-up of contactless POIs is slow because it is
usually linked to the POI lifecycle (i.e. renewal of POIs) and the associated costs. The European
market presents itself fragmented in that respect; in some countries the retailers already have a large
percentage of POIs which support contactless technology while in other countries only a limited
number of merchants with contactless POIs are available. As a consequence, consumers which have
been provisioned with a contactless payment instrument are not always offered sufficient opportunities
to use contactless technology. This hinders consumer and merchant habituation and ultimately leads to
an even slower take-up of contactless payment solutions.
Key observations
A lack of availability of contactless POIs makes the uptake of contactless payments by consumers
difficult. Note that this is not only matter of take-up by the retail sector but in some countries a lack of
support from the acquirers for promoting, selling and deploying contactless POIs is to be noted.
Deployment of EMV compatible contactless POI terminals has been successful where coordination at
country level took place (e.g. UK, Poland, and Czech Republic). A second success factor is the
involvement of particular retail sectors, such as large grocery departments, were the consumer has a
recurrent payment experience or the involvement of other consumer services such as public transport.
In order to enhance the availability of contactless POI terminals, some of the (international and
domestic) card schemes have mandated in Europe the migration of the POI terminal base to support
contactless technology.
Where legally possible, a further incentive could be created through the deployment of contactless
technologies by public authorities and administrations in the respective countries in Europe. They may
play an exemplary role in this by for instance accepting contactless payments related to public services
such as specific tax and (local) administrative fees collections.
5.1.4 Security and privacy
Issue description
Various stakeholders have a general concern about the security and the privacy issues related to
contactless payments. Additional risks are perceived from the introduction and the usage of contactless
technology (e.g.; short range technology used in the communication between the consumer device and
the POI creating an opportunity for electronic eavesdropping) and should be adequately addressed.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 25/66
Also new risks associated with the usage of mobile devices (see also section 5.2.2), instead of physical
cards, by the consumers pose new security challenges.
With regard to mobile proximity payments, payment credentials may be stored in new environments
(such as hardware / software modules on the mobile device or back-end servers (clouds) accessed via
the mobile device), each come with different security and privacy threats which need to be
appropriately countered by security measures.
In case of security breaches, the appearance of subsequent fraudulent transactions may result in a lack
of trust in contactless payments which in turn can hinder market take-up.
Key observations
With respect to contactless payments in general, it is very important to have an appropriate
communication towards the customers to address privacy and data protection concerns, to inform
about the security of the payment instrument and to explain how (exceptional) fraudulent transactions
would be handled. This communication is important to create customer (both consumer and merchant)
trust which is an important pillar for an increased market take-up of contactless payment products.
Merchants also expressed the need for the identification of the form factor of the consumer device at
the POI.
Privacy appears to be a bigger concern with mobile proximity payments than contactless card
payments. The mobile environment is seen as more vulnerable than the card.
In particular, related to the security of mobile contactless payments, the SecuRe Pay Forum drafted a
preliminary set of security recommendations in 2013. This work was handed over to the EBA as one of
the potential inputs for the future development of guidelines and regulatory technical standards
mandated within the PSD2 (see [7]).
Last but not least, in the mobile proximity payment ecosystem, which is far more complex than the
contactless card ecosystem and which involves many more stakeholders, a same minimum level of
security for each stakeholder in the payment chain should be ensured. At the same time, a relevant
distribution of liabilities should be applied accordingly amongst these stakeholders.
5.1.5 Consumer interaction with POI
Issue description
Besides the lack of familiarity of consumers regarding contactless payment products in general which
was mentioned in section 5.1.2, there still seems to be a lot of uncertainty when consumers face a POI
and wish to perform a contactless payment: is the POI contactless enabled, where should I wave my
consumer device (the POIs which are contactless enabled may have the contactless interaction point
placed in different positions), has the payment been executed, do I get a receipt?
There are also accessibility issues concerning contactless POIs for people who are visually impaired or
have a physical or mental disability or who are chronically ill. For example, the sound of the beep at
the moment of contactless interaction is not loud enough, the palpability of certain keys is not good
enough or the contrasting colors on the display make it difficult to read. These issues prevent certain
groups of consumers to use contactless payment products.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 26/66
Key observations
The development of common minimum requirements for contactless POIs, including a common
symbol for the contactless spot, requirements on audio feedback and on the displays and keyboards to
ensure that everyone in the society is able to use contactless payment products, may contribute to a
more uniform payment experience. EMVCo has already undertaken some work in that respect with
specifications for the POI user interface which are contained in the EMV Contactless Specifications
for Payment Systems – Book A: Architecture and General Requirements (see [1]). However, the POI
vendors have a number of choices within the specified requirements.
EMVCo has also developed two contactless marks: a contactless indicator (e.g. the consumer device)
and a contactless symbol (e.g. for the POI) with licensing agreements and reproduction requirements
which may be found in the “Best Practices” section on their website (see [1]).
5.2 Additional barriers for mobile proximity payments
This section provides a description of additional prioritised barriers which apply specifically to mobile
proximity payments.
5.2.1 Fragmented and immature mobile technology landscape
Issue description
The market for mobile proximity payments is very fragmented with a lot of innovative but immature
solutions. The fragmentation derives either from the presence of multiple mobile solutions with a
limited geographical coverage or from the usage of different technologies, standards and business rules
across the existing mobile solutions.
Mobile devices provide the payment industry with multiple technologies to initiate and/or perform
payments. They have the capability to capture, store and transmit data in diverse and numerous ways.
The versatility of the mobile devices leave stakeholders in the ecosystem (including merchants, PSPs,
Mobile Network Operators (MNO), other service providers, …) with major challenges with respect to
the development of strategies / road maps with a viable business case and market reach.
Furthermore, being that the market for payment services is a multi-sided market, mobile proximity
payments solutions should be simultaneously introduced and employed on the consumer and merchant
sides. However, there is a lot of uncertainty how the market will develop and what will be the future
prevalent technology solution.
Some initiatives in this area are leveraging the card contactless acquiring infrastructure, others are
creating closed loop solutions with selected merchants, which are often subsidised for technology
integration. In many counties domestic solutions with local protocols are being employed. This results
in a large variety of solutions across Europe with no pan-European acceptance. Those solutions
involve different technologies and infrastructures resulting in interoperability issues which are a main
barrier for market integration. The market fragmentation is leading consumers and merchants to
confusion and limited adoption of the existing solutions.
Key observations
New payment products are often promoted to a national audience rather than European level. In this
situation similar solutions are developed and launched in different countries but unfortunately they are
not always interoperable with each other. This creates market fragmentation in Europe. Market
2015-11-26 ERPB item 6 ERPB CTLP working group final report 27/66
fragmentation in turn makes it difficult for suppliers of payment products to reach scale economies,
which in the payments market is a key factor for a business model to be successful.
The focus should be to develop basic standards for each of the mobile proximity technologies which
can be addressed at this very moment in view of where the market is today. Taking into account that
contactless payments are already much better adopted than other mobile proximity payments, it could
be appropriate to further develop pan-European implementation standards for mobile proximity
payments which are based on the EMVCo contactless specifications (see also 5.1.1).
It is also to be noted that the speed for adoption of card contactless payments has proven to be much
quicker in countries (e.g.; UK, Czech Republic, Poland …) where a centralised coordination took place
across payment market stakeholders with the support of the card schemes. A similar approach could be
advisable for mobile proximity payments.
5.2.2 Complexity and security of mobile devices
Issue description
A mobile device may be considered as a quite complex piece of equipment with many different
components, including the baseband, operating system, firmware, software, NFC controller, multiple
external interfaces, possibly a Trusted Execution Environment (TEE) and one or multiple Secure
Elements (SEs). Moreover, the production of these components involves different manufacturers
before integration in the mobile device. This means that functional and security standards should be
ensured throughout the whole production cycle. Also the presence of different software on the mobile
device, developed by diverse vendors or service providers, poses a significant challenge to the integrity
of the mobile device ecosystem.
It is also important to note that for providers of mobile contactless payment applications there is a
strong dependency on the handset manufacturers and mobile OS providers, which is a highly
competitive space with little cooperation on standardisation. Therefore they face a huge complexity
with different solutions for each handset and/or mobile OS. This means that they need to develop their
applications for a large number of different mobile platforms (combinations of different hardware and
software) in view of the current platform incompatibilities. This obviously comes with a cost impact
and may in some cases also lead to consumer confusion. The fact that there are multiple solutions on
the market which are different - read not compatible - makes it challenging for the supply side.
Moreover, once the devices are in usage by the consumer, there are a number of additional challenges
which remain to be addressed; security and privacy are the most relevant ones.
Indeed, consumer trust in mobile proximity payments is strongly linked to security and privacy. Two
aspects of security have to be considered, the first is the customer perceived security in the solution or
in the system, the second is the level of security the solution has which is strongly linked to its cost and
usability. Enhanced security often comes with additional costs while the user experience may be
negatively affected.
The mobile device is exposed to threats in view of the many interfaces it has, including change of
behaviour or incompatibility due to software upgrades, rooting (jail-breaking) of mobile phones, etc.
The increased presence of malware on mobile devices has to be noted and should also be kept under
careful consideration.
Finally, with regard to diversity and complexity, the consumers interact potentially with a multitude of
user interfaces related to different payment solutions, adding a further layer of complexity.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 28/66
Key observations
The security threats and risk models related to the usage of mobile devices for payments are different
to the threats encountered for payments with contactless cards. Also the security features offered to
counter the threats are different for contactless card payments compared to mobile proximity
payments.
Security standards for mobile devices in support of mobile payments are not yet widespread nor
adopted since the market is living its early days.
Some organisations have already developed specifications and standards for securing the mobile
contactless payment environment. Furthermore, they have also created some testing and certification
activities in accordance with those standards and specifications.
Nevertheless the payment industry is still missing an overall framework for the usage of mobile
devices which addresses functionality, security and privacy. Such a framework could ensure a
widespread adoption and usage of mobile devices for (proximity) payments. There is a need for the
development of minimal security objectives / requirements for mobile devices (possibly through a
layered standardisation approach) in support of mobile payments (which can be met by different
technologies / implementations). A corresponding testing, evaluation and certification framework is
needed for the stability and security of mobile devices as a platform for mobile payments throughout
their lifecycle. In addition, appropriate consumer awareness is needed with respect to safeguarding the
security of their mobile device.
5.2.3 Lack of ubiquity of appropriate mobile devices
Issue description
As mentioned before, the NFC based contactless technology is considered nowadays as the most
promising one in terms of short and medium term development. The background for this is that
consistent investments are currently on-going to update the hardware on the supply side (PSPs are
issuing contactless enabled cards) and merchants are installing contactless POIs based on NFC
technology.
Whilst this trend is noticeable, with different intensity in each European country, the introduction of
mobile contactless payments still seems to suffer from a lack of availability of appropriate mobile
devices supporting the NFC functionality. Moreover, within the group of NFC enabled devices still a
minority of them is working with a mobile operating system supporting Host Card Emulation (HCE).
To date only Blackberry OS7 or newer and Android Kit Kat 4.4 or newer support HCE. Microsoft
announced the support of HCE in the mobile version of its Windows OS 10 later on in 2015.
Key observations
NFC based contactless technology is the most promising in terms of development in the short and
medium term. Contactless NFC based solutions are gaining traction across several geographies in
Europe, nevertheless this growth is mainly due to physical card based solutions.
The manufactures are gradually installing NFC hardware on the majority of the newly developed and
on sale models for mobile devices.
5.2.4 Mobile competitive landscape
The mobile ecosystem has proven over the last decade to be a very competitive landscape whereby
multiple services are accessed via the mobile device. This has come with a strong competition among
2015-11-26 ERPB item 6 ERPB CTLP working group final report 29/66
the different service providers on service levels and pricing. Mobile service providers are widening
their offer to other services which are accessed via the mobile device, including payments. The mobile
devices allow the co-existence of different payment solutions on a single device, even from multiple
PSPs either using similar or different technologies.
A characteristic this landscape presents is that it transforms the commercial relationships between the
consumers and PSPs and it changes the provisioning channel of the payment solutions.
Key observations
Currently it is unclear what will be the prevailing mobile proximity payment technology in the future,
which results into difficult decisions with respect to investments to be made. It is precisely the
competition between the different technologies that leads to a fragmented market.
However, there is a strong demand for more openness of the new solutions which are entering the
market today to support competitiveness; examples are an open (but secure) and free access to the
mobile device capabilities (including the NFC antenna, any component being it the SE or HCE).
With the objective of streamlining the consumer experience and facilitating payments, the industry
supply side recently introduced wallet services. These services represent a breakthrough in the
payment market; consumers have the opportunity of aggregating the payment service interfaces via the
wallet together with other information (e.g., loyalty reward scheme accounts, etc.). The wallet supplier
may be able to act as intermediary between the PSPs and the consumer; this could change the
commercial position of the PSPs towards the consumer.
It has to be noted that numerous mobile offerings are gaining consumer attention, interest and
preference. Nevertheless, consumer awareness on mobile device usage for payment services initiation
is still low. The will from the payment supply side to conquer the consumer preference might lead into
a movement towards the use of closed loop solutions, which could hinder widespread use of mobile
proximity payments, potentially leading again to market fragmentation.
5.2.5 Regulatory framework
Issue description
Regulatory authorities can play an important role in taking away barriers in the payments market.
However, excessive regulatory interference in the emerging and developing market of mobile
proximity payments could lead to unintended consequences such as stifling innovation in an immature
market or preventing the introduction of consumer focused services. Therefore it is important that new
regulation provides room for innovations and supports new market developments
.
Key observations
At the moment of publication of this final report, a recent European regulation directed to card
payments is the Interchange fee regulation. Although it might be too early to judge the effect of this
regulation, card based contactless payments are impacted in view of the requirements on the choice of
application
5
.
5
A dedicated impact analysis has being conducted in the Card Stakeholder Group (CSG), see Annex 8.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 30/66
There is a general concern among some market participants that (further) regulatory activity might
disrupt consolidated business models, hamper the entrance of new players into the market and increase
the costs associated with regulatory compliance.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 31/66
5.2.6 Complexity of mobile ecosystem
Issue description
An increased number of stakeholders are involved in the ecosystem for mobile proximity payments
compared to card payments in view of the complexity of the underlying infrastructure. At this time in
Europe the infrastructure used for mobile payment services is build up by many different parties and
components. This introduces new challenges from a business perspective. Next to the technical
complexity of issuing and operating payment applications through mobile devices, there is a huge
business complexity in view of the different and often new players involved in the value chain.
Establishing a business model across them, sharing customer ownership and revenues are recognised
to pose major challenges to the mobile payment ecosystem.
Key observations
The introduction of contactless card based solutions is easier and more straightforward compared to
mobile contactless payment solutions because it involves the same stakeholders as in the legacy
contact card ecosystem. The presence of additional business stakeholders in the mobile ecosystem
(depending on the adopted technology and architecture) aiming to gain revenues and customer
ownership results in an increased complexity of the overall business models. This condition impacts
the market take up of the mobile contactless payment solutions but clearly resides in the competitive
space.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 32/66
6 Recommendations and guidelines
Based on the analysis for the prioritised barriers conducted in the previous section, the following recommendations have been specified. For each
recommendation the intended addressee is listed, next to a deadline and mapping on the identified barriers as described above, a high level estimation is
done on the impact of the implementation of the recommendation (High or Medium) on the identified barriers.
# Addressee(s) Rationale Recommendations Deadline Barriers
addressed
Impact
A
EMVCo
Multiple standards with a
variety of options are
currently present in the
market. The rationale is to
streamline the standards
used in the industry.
i. Speed up the creation of a single common POI
kernel specification for contactless (already
planned under Next Generation) and make the
specifications publicly available as soon as
possible.
ii. Limit the number of terminal configuration
options into the EMV Next generation
specifications, in order to allow consistency
among implementations and therefore provide
consumers a streamlined payment experience
across different terminals.
iii. Include in the Next Generation specifications a
parameter that would allow the identification of
the form factor of the consumer device used for
the initiation of the contactless transaction.
the latest Dec
2016
5.1.1
5.1.2
5.1.4
5.1.5
5.2.1
High
B
Card Scheme
Sector
Aligned card scheme
requirements and the
promotion of the adoption
of open protocols in the POI
domain will ease the take up
of contactless payments.
i. Define an aligned European mandate for the
implementation of contactless enabled POIs
including a specification of where they should be
available. The ECB should act as facilitator for
this.
ii. Harmonise the level of transaction limits at POI
at country level for payments per use case /
mid 2016
5.1.1
5.1.2
5.1.3
5.1.5
5.2.1
Medium
2015-11-26 ERPB item 6 ERPB CTLP working group final report 33/66
payment context.
iii. Request the usage of open protocols in the POI
domain and the POI to Acquirer domain which
are compliant to the Cards Standardisation
Volume and labelled by the Cards Stakeholders
Group.
iv. Mandate a common implementation plan for the
EMVCO Next Generation specifications with an
appropriate migration period
6
.
on-going
mid 2017
Dec 2017
C
Cards
Stakeholders
Group
The standardisation of open
specifications for a card and
mobile contactless payment
application, could allow
payment application
developers and card
manufacturers to reach
economy of scales and
would lower the cost of
these items for the Issuers,
fostering contactless
adoption.
i. Develop common requirements for contactless
transactions for inclusion in the Cards
Standardisation Volume Version 8.
ii. Conduct a feasibility study on the development
of open specifications for a card and mobile
contactless payment application, their
implementation, maintenance and testing. For
mobile applications, the open specifications
should also address the different possible
configurations for the management, provisioning
and personalisation of the card data: Secure
Element (UICC, Embedded, SD Card) and HCE.
The future specifications should leverage the
work of EMVCo and Global Platform.
iii. Develop use cases/payment contexts for
contactless payments (card and mobile based)
for integration in Cards Standardisation Volume
Dec 2016
Dec 2016
Dec 2016
5.1.1
5.1.2
5.1.4
5.1.5
5.2.1
5.2.2
High
6
This would also cover the identification of the form factor used for the initiation of the contactless transaction, see Recommendation A.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 34/66
The specification of
common POI
implementation guidelines
will lead to a more uniform
payment experience, for
both the consumer and the
merchant
Version 8.
iv. Develop POI implementation guidelines
including common minimum requirements for
contactless POIs (both for the payment process
side and for the consumer/POI interface) hereby
leveraging the EMVCo work and addressing the
requirements of disabled people associations.
Adequate usage of available input should be
made (see for instance [DNF1], [EAN1],
[GIRO1] and [UKC2] in Annex 6).
Dec 2016
D
EPC, Consumer
and Retailers
Associations
Enhance society awareness
on contactless payments
Coordinate in co-operation with the Card Schemes an
institutional communication campaign of the ERPB
members to increase the familiarity with contactless
payment products (card and mobile based).
The communication campaign should result in the
creation and distribution of informative material on
contactless payment solutions and their usage to all the
ERPB members and affiliates. Moreover ERPB
members and the ECB are requested to make the
informative material produced available on their
websites.
This communication material should include the
following topics:
how to use contactless (both from a consumer
and a retailer perspective);
highlight the improved payment experience for
the consumers;
choice of application for contactless payments;
mid 2016 5.1.2
5.1.4
5.1.5
5.2.2
High
2015-11-26 ERPB item 6 ERPB CTLP working group final report 35/66
explain the benefits of using contactless;
address consumer concerns (privacy, safety,
security, freedom of choice
7
, etc…);
training material for retailer staff.
E
Public
Administrations
and Transport
Sector where
card payments
are suitable
The adoption of contactless
payments by certain sectors
has proven to be an
important catalyst and is
even critical for their take-
up in various countries.
Prioritise the installation and use of POI terminals which
are enabled to accept EMVCo based contactless
transactions.
on-going 5.1.3
5.2.1
Medium
F
ETSI
The standardisation of a
generic secure platform for
the mobile device and of
complementary processes
will contribute to the cost-
effectiveness with respect to
the development,
certification and
implementation of mobile
proximity payment services.
i. Agree and put forward the development of the
specifications of framework, referenced as a
“Smart Secure Platform” (enabling the provision
of value-added services relying on authentication
of the user, regardless of the mobile device,
communication channel and underlying
technology) taking into account the requirements
for mobile payments, hereby leveraging work
already done by EMVCo and Global Platform.
ii. Develop implementation guidelines thereby
leveraging work already done by Global
Platform that define:
o a process to provide the service providers
with the credentials to have access to
secure elements;
o a process that allows a service provider
White paper
mid 2016
Specifications
Dec 2017
Dec 2016
5.1.4
5.2.1
5.2.2
5.2.3
Medium
7
This means that the consumer should be given an option of opting out to contactless products.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 36/66
to be authenticated, to securely get the
credentials to access mobile device’s
hardware vaults (e.g. the secure element)
and to communicate with these vaults.
G Mobile Payment
Providers
Promote the usage of a
generic secure platform for
the mobile device
Require the mobile devices to be qualified according to
the future work developed by the ETSI “Smart Secure
Platform” (see Recommendation F).
Dec 2018 5.1.4
5.2.1
5.2.2
5.2.3
5.2.4
Medium
H
GSMA Provide clarity on NFC
enabled mobile device
evaluation/certification
processes
i. Develop an overview paper on the functional
and security evaluation / certification of NFC
enabled mobile devices (covering all aspects and
configurations #SE types, HCE, TEE, etc…) in
co-operation with Global Platform and EMVCo.
More in particular issues related to contactless
interference issues should be addressed.
ii. Encourage European MNOs to promote the sales
of NFC enabled equipment.
mid 2016
on-going
5.1.4
5.2.1
5.2.2
5.2.3
5.2.4
Medium
I
Mobile Device
Manufacturers,
Mobile OS
Developers and
GSMA / MNOs
Consumer independence on
mobile device for the
freedom of choice on
mobile contactless payment
services
Provide access to the mobile device contactless interface
in order to ensure that the consumer can have a choice
amongst payment applications from different mobile
payment providers, independently of the mobile device
and the operating system used.
on-going 5.2.2
5.2.4
5.2.6
High
J European
Commission,
Regulators and
the Cards
Stakeholders
Group
Address legal issue for the
potential negative impact it
could have on the take-up of
contactless payments
To work together to ensure a consistent understanding
on “the choice of application” in the IF Regulation (see
[8]) and to address the impact that it could have on
contactless payments. Hereby the impact analysis
undertaken by the Cards Stakeholders Group (see
Annex 8) should be taken into account.
mid 2016 5.1.2
5.2.5
High
Table 11: Recommendations
2015-11-26 ERPB item 6 ERPB CTLP working group final report 37/66
In addition, the following specific guidelines are given for the clusters defined in section 4:
Clusters Guidelines
Developed The contactless payment stakeholders active in this cluster are encouraged to continue to focus on the expansion of the
contactless acceptance network within their country and to achieve interoperability between the current acquiring
infrastructure and the upcoming mobile based proximity payment solutions.
In development The contactless payment stakeholders active in this cluster are encouraged to focus their efforts on the expansion of the
contactless acceptance network within their country and to promote the consumer engagement and usage of card-based
payments instruments via contactless on a wider audience of consumers.
Movers The contactless payment stakeholders active in this cluster are encouraged to further promote the migration to contactless
enabled acceptance infrastructure and the ownership of contactless enabled instruments (cards and mobile).
Slow movers The contactless payment stakeholders active in this cluster are encouraged to promote the migration to contactless enabled
acceptance infrastructure and the ownership of contactless enabled instruments (cards and mobile). The launch and the
coordination of projects that promote the usage of contactless payment solutions in the field of public “transit” services is
envisaged for the relevance it might have on increasing the contactless consumer adoption.
Last Movers The contactless payment stakeholders active in this cluster are recommended to develop the contactless enabled acceptance
infrastructure and the ownership of contactless enabled instruments (cards and mobile).
The launch and the coordination of projects that promote the usage of contactless payment solutions in the field of public
“transit” services is envisaged for the relevance it might have on increasing the contactless consumer adoption.
Table 12: Guidelines for the country clusters
2015-11-26 ERPB item 6 ERPB CTLP working group final report 38/66
Annex 1: Mandate of the ERPB Working Group on mobile and card
based contactless proximity payments
Based on Article 8
8
of the mandate of the Euro Retail Payments Board a working group is set up with
the participation of relevant stakeholders to address issues related to the muted take up of mobile and
card based contactless proximity payments.
Scope: Several innovative payment solutions rely on contactless technologies to initiate payments or
transfer payment related data in proximity payment situations. They usually provide a more convenient
user experience at the point of sale and a substantially faster check-out. Even though these types of
payments are still at an early stage of development, there is already a trend towards setting standards
that differ across schemes, devices and countries. The purpose of the working group would be to
analyse existing solutions and standards (both national and international) and assess to what extent
there are differences in standards and technical implementation preventing interoperability at pan-
European level.
Deliverables: The working group is expected to:
i. elaborate on a vision (define the ‘what’ we should achieve) for mobile and card
based contactless proximity payments in euro;
ii. define the essential conditions for the realisation of the vision;
iii. distinguish between essential conditions that need to be addressed in the
competitive and in the cooperative space; and
iv. identify concrete actions to be taken in order for the essential conditions in the
cooperative space to materialise.
The form of communicating the findings and the recommendation of the working group is a report to
the ERPB.
Time horizon: The working group is expected to start work in Q4 2014 and report its findings in Q4
2015. The group would then be dissolved.
Participants and chairmanship: Membership in the working group is open to all volunteering
members of the ERPB. The group will ideally include at least representatives of payment service
providers, consumers, retailers, and corporates. One representative of the ERPB Secretariat and a
limited number of representatives of euro area NCBs will be invited to join the working group as
active participants. The working group could also involve relevant third parties (e.g. mobile network
operators, payment processors) as active participants. A representative of the EU Commission will be
invited as observer. The working group is to be co-chaired by the EPC (supply side) and
Eurocommerce / ERRT (demand side). The final composition of the working group will be submitted
to the ERPB for endorsement.
8
“For the execution of its mandate, the ERPB may establish a working group (...) for a limited period of time for dealing
with specific work priorities. Several groups may operate in parallel, depending on the work priorities. A group is
disbanded as soon as its mandate is fulfilled. (…) Depending on the work priority at hand, the group(s) may be asked by the
ERPB to draft or make recommendations on business practices, business requirements for standards, standards or
implementation specifications or to address specific issues”
http://www.ecb.europa.eu/paym/retpaym/shared/pdf/ERPB_mandate.pdf ECB-RESTRICTED
2015-11-26 ERPB item 6 ERPB CTLP working group final report 39/66
Rules of procedure: The mandate of the ERPB defines a broad set of rules for the procedures of its
working groups. The working group takes positions on a ¾ majority basis. Upon request, dissenting
members (if any) may have their opinions annexed to the final document(s) prepared by the working
group. The members of the group decide on how to organise their work. Costs related to the operation
of the working group are met by the members of the group.
2015-11-26 ERPB item 6 ERPB CTLP working group final report 40/66
Annex 2: Composition of the ERPB Working Group on mobile and card
based contactless proximity payments
Name Surname Nominating Institution
Co-Chairs
Frederic Mazurier Eurocommerce
Dag-Inge Flatraaker EPC
Members
Robert Renskers ESBG
José Carlos Bringas Casado EPC
Paul Alfing Ecommerce Europe
Pascal Spittler EuroCommerce
Charlie
Alternate:
Ben
Craven
Smith
EPIF
Patrice Hertzog EACB
Faiza Mahmood EMA
Michael
Alternate
Patrick
Hoffmann
Poncelet
EBF
Farid Aliyev BEUC
Massimo Battistella EACT
Carlos
Alternate:
Michael
Soares
Taggart
Public Administrations
Anne-Sophie Parent AGE Platform
NCBs
Judith Looman DNB
Johannes
Alternate:
Julien
Klocke
Novotny
Bundesbank
Sergio
Alternate:
Esther
Gorjón
Barruetabeña
BdE
Christiane
Alternate:
Alexander
Dorfmeister
Mayrhofer
OeNB
Li-Chun Yuan BcL
ECB
Francesco
Alternate:
Iddo
Di Salvo
De Jong
ECB
Observer
Barry
Alternate:
Pierre-Yves
Harrington
Esclapez
European Commission
Guests
2015-11-26 ERPB item 6 ERPB CTLP working group final report 41/66
Richard
Alternate:
David
Koch
Stephenson
ECPA
David
Alternate:
Chris
Dechamps
Kangas
MasterCard
Marc
Alternate:
Agnes
Temmerman
Revel
Visa
Priya Vempati American Express
Christian
Alternate:
André
Schollmeyer
Nash
Girocard
External Liaison
Dave Wilson EMVCo
Margot
Alternate:
Xavie
r
Dor
Piednoir
ETSI
Yves
Alternate:
Gil
Moulart
Bernabeu
GlobalPlatform
Claire
Alternate:
Harald
Maslen
Boerekamp
GSMA
Arnaud
Alternate:
William
Crouzet
Vanobberghen
Nexo
Secretariat
Marijke De Soete EPC
Table 13: ERPB WG participants
2015-11-26 ERPB item 6 ERPB CTLP working group final report 42/66
Annex 3: Template of the survey on mobile and card based contactless
proximity payments
1. INTRODUCTION
This survey is being developed in preparation of a landscaping overview on Mobile and Card Based
Contactless Proximity Payments.
The aim of this survey is to provide input on the following topics:
A. Existing or planned mobile and card based contactless proximity payment solutions;
B. Existing or planned white papers and technical and security specifications / standards related to
mobile and card based contactless proximity payments;
C. Existing or planned regulations and recommendations / guidelines on mobile and card based
contactless proximity payments, including security and privacy aspects;
D. Issues or barriers that may prevent the development of pan-European solutions.
The reader is referred to Annex I for a list of abbreviations used in this document.
Submitters are encouraged to provide as much information and as detailed as possible. If needed,
section A can be copied as needed should multiple mobile and card based contactless proximity
payment solutions be available and/or planned in one single country.
Submitters are kindly requested to return the completed survey to the Working Group Secretariat by 13
February 2015.
2. SURVEY
Country: Name Submitter:
Organisation:
2015-11-26 ERPB item 6 ERPB CTLP working group final report 43/66
A. Mobile and Card Based Contactless Proximity Payment Solutions
What Mobile or Card Based Contactless Proximity Payment solutions are currently being
offered in your country or are scheduled to be offered in the near future?
Name of solution:
Mobile or Card based:
Short description of solution:
Launch date and Operational
status:
Geographic coverage:
Within countries:
Cross-border:
Currency:
Volumes (last month for
which data is available):
Number of customers:
Total number of transactions:
Overall total of transaction amounts:
Partners involved (e.g., PSPs,
MNOs, TSMs, …):
Technical solution used (e.g.,
MCP application on card,
MCP application on SE on
mobile device, Remote MCP
application accessed via
2015-11-26 ERPB item 6 ERPB CTLP working group final report 44/66
mobile device, etc…):
Infrastructure(s) used (e.g.
bank infrastructure, clearing
and settlement systems, card
infrastructure, ...):
Source account (e.g. payment
account, prepaid card, ...)
Standards / Guidelines used
for system components and
communication protocols:
Evaluation / certification/ type
approval used for system
components (card, SE, mobile
device, POI, etc…) and
communication protocols
Payment instrument(s) used:
Consumer / Merchant
identification and
authentication methods:
Additional remarks:
2015-11-26 ERPB item 6 ERPB CTLP working group final report 45/66
B. Overview White Papers, Specifications and Standards for Mobile and Card Based
Contactless Proximity Payments
Annex II provides a list of white papers, technical and security specifications / standards or
Mobile and Card Based Contactless Proximity Payments. Please identify any missing
document(s) that should be taken into account for this landscaping exercise as appropriate.
Missing document(s):
C. Overview Regulations and Recommendations / Guidelines on Mobile and Card
Based Contactless Proximity Payments
including security and privacy aspects
Annex III provides a list of regulations and recommendations / guidelines for Mobile and Card
Based Contactless Proximity Payments, including security and privacy aspects. Please identify
any missing document(s) that should be taken into account for this landscaping exercise as
appropriate.
Missing document(s):
2015-11-26 ERPB item 6 ERPB CTLP working group final report 46/66
D. Issues/Barriers
What do you consider to be the most important issues and barriers for the development of pan-
European mobile based contactless proximity solutions?
Issue/Barrier 1:
Possible Solution
for Issue/Barrier 1:
Issue/Barrier 2:
Possible Solution
for Issue/Barrier 2:
……
What do you consider to be the most important issues and barriers for the development of pan-
European card based contactless proximity solutions?
Issue/Barrier 1:
Possible Solution
for Issue/Barrier 1:
Issue/Barrier 2:
2015-11-26 ERPB item 6 ERPB CTLP working group final report 47/66
Possible Solution
for Issue/Barrier 2:
…….
2015-11-26 ERPB item 6 ERPB CTLP working group final report 48/66
Annex 4: Outcome on barriers identified through the survey
Annex 4.1 Common barriers
This section lists the common barriers/gaps/issues identified through the survey which are applicable
both to card and mobile based contactless proximity payments.
# Description of barrier/gap/issue %
coverage
in
survey
9
Competitive /
Cooperative
space
B1 Lack of one common (open) standard for contactless
transactions both for card and mobile NFC contactless
transactions
Card NFC and Mobile device NFC differences in
technical specifications with regards to hardware,
chip operating system, NFC application, NFC
radio transmission and data encryption protocols
between card-NFC and mobile device-NFC – lack
of standardisation of mobile contactless payments
Usage of closed proprietary technical standards
Multiplicity of standards for NFC contactless
payments
Interoperability of contactless acceptance
infrastructure
Uniform payment experience
Lack of common protocol on the acquiring side
Local solutions (carrying international brands)
which do not work cross-border
Testing and certification
50 COOP
B2 Lack of ubiquity of contactless POI terminals (no
sufficient coverage, slow deployment speed, no customer
habituation)
Lack of widespread merchant acceptance
A lack of ubiquity in any given market or region
may hinder consumer habituation towards
contactless technologies and propositions
48,9 COOP/COMP
B3 Business model sustainability
Few parties dominating the market resulting in a
lack of competition and in consumer dependence
Freedom of choice for consumer and merchant
(standard payment method should not be
prescribed by the scheme)
8,3 COMP
B4 Clashes when several NFC cards/devices are presented at
once, leading to conflicts with acceptance problems
6,3 COOP
B5 Bad user interface of contactless POI (uniform way of 16,6 COOP/COMP
9
The percentage reflects the number of respondents that have identified this barrier through the survey
2015-11-26 ERPB item 6 ERPB CTLP working group final report 49/66
making a payment, display, keys, contactless spot and
symbol, clear audio feedback when proximity transaction
was accepted/rejected …)
Bad ergonomics
Accessibility features
B6 Acceptance problems (e.g. PIN on line not supported,
TAP + mobile code+ TAP not supported, etc…)
Difference between online and offline transactions,
creating cross-border interoperability problems and bad
consumer experience (and missed opportunities for
merchants and PSPs)
6,3 COOP/COMP
B7 Differences in transaction amount limits per sector (retail,
parking, toll ways) + cross border
4,2 COOP
B8 The new card IF Regulation (requiring application
selection for co-branded cards), which introduces
additional steps into the payment process and impacts the
transaction speed
2,1 COOP
B9 Lack of business case
Decreasing card industry profitability (e.g; IF
regulation negatively impacts business case to
innovate and to invest)
Difficulties for the set-up of transaction fees in
view of low transaction amounts
POI hardware replacement and costs
Costs for issuers
Costs for merchants
Cost of integration of mobile payments
Cost of UICC centric SE
Lack of business case for an SE based NFC
solution
Economic barriers: financial institutions (as well as
other players, such as merchants) face the high cost
of technological infrastructures /developments and
equipment renewals
Life time of new technology products and renewal
/ migration cycles for payment products
31,3 COMP
B10 Protection against fraud, security and privacy issues
Implement contactless with consumer verification
method if above floor limit
Wireless skimming
Data protection concerns by consumers and
authorities
All parties involved in the payment scheme must
ensure the same level of security
31,3 COOP
B11 Lack of consumer/customer acceptance / demand
Lack of trust by the consumers in this form of
payments - new technology (what if I lose my
card/mobile device)
Reliability
Complexity of products
51 COOP
2015-11-26 ERPB item 6 ERPB CTLP working group final report 50/66
Consumer advantages (e.g. combination with
VAS) not visible enough
Lack of consumer proximity habits (e.g. scanning
2D barcodes, waving card or mobile device)
Lack of agnosticism in methods to carry out
mobile payments
Easiness of solution for consumer (re-use
consumer habits / handling) / consumer
convenience/uniform consumer experience
Lack of ubiquity in consumer education &
communication with respect to security, speed,
reliability, consistency on mobile proximity
payments
Lack of equally advanced consumer
education/awareness
B12 Lack of ubiquity of merchant training
Lack of equally advanced merchant education/awareness
8,3 COOP
B13 Consumer affordability (card services related costs) 2,1 COMP
B14 Lack of interoperability of existing acceptance
infrastructure (accepting NFC and 2D barcodes and…)
2,1 COOP
Table 14: Barriers for card and mobile proximity payments
Annex 4.2 Additional barrier for contactless card payments
This section lists the additional barriers/gaps/issues identified through the survey which are specific to
contactless card payments.
# Description of barrier/gap/issue %
coverage in
survey
10
Competitive
/
Cooperative
space
CB1 No consumer need for contactless cards 2,1 COOP
Table 15: Additional barrier for contactless card payments
Annex 4.3 Additional barriers for mobile proximity payments
This section lists the additional barriers/gaps/issues identified through the survey which are specific to
mobile contactless proximity payments.
# Description of barrier/gap/issue %
coverage
in survey
11
Competitive /
Cooperative
space
MB1 Complexity of mobile ecosystem
Very large variety of models with different
actors and different business impacts
28,6 COMP
10
The percentage reflects the number of respondents that have identified this barrier through the survey
11
The percentage reflects the number of respondents that have identified this barrier through the survey
2015-11-26 ERPB item 6 ERPB CTLP working group final report 51/66
Collaboration requires a lot of resources
Predominance of vertical business models: many
of the existing solutions are vertical portfolios.
It is difficult to reach an agreement on a
common unique solution given that there are
many different third parties.
Complexity of ecosystem for issuing payment
applications in a smartphone - each player aims
to control the customer experience and ensure
ROI
Establishment of partnerships between PSPs and
MNOs / TSMs;
From a PSP perspective: dependency on the
MNOs
MB2 Lack of ubiquity (no sufficient coverage) of NFC
enabled mobile devices
Availability of mobile phones with Android Kit Kat 4.4
and higher
18,8 COOP/COMP
MB3 Lack of incentives for stakeholders in the mobile
ecosystem
Lack of incentives for acquirers
Lack of interaction with public infrastructures
Lack of involvement of public sector
Consumer advantages (combination with VAS)
not visible enough
The absence of incentives for telecom operators
to develop NFC solutions
10,4 COOP/COMP
MB4 Mobile competitive landscape
Co-existence of different payment solutions of
multiple PSPs on mobile device
Gaining consumer attention is increasingly
difficult
New proprietary payment methods (Apple,
Google,….) will change the payment landscape
leading to a complexity of payment options and
increase of acceptance and back-end costs
Owner of wallet solutions may prevent
competition amongst payment products in their
wallet
Co-existence on mobile device with other mobile
services /applications (with different lifecycle)
10,4 COMP/COOP
MB5 Fragmented and immature mobile technology landscape
and immaturity of mobile payments solutions
Technology options on the consumer side
(issuance) make it challenging for issuers to
develop strategies/road maps with a viable
business case and market reach.
Uncertainty for developers associated to the
future prevalent technology
37,5 COOP
2015-11-26 ERPB item 6 ERPB CTLP working group final report 52/66
Payment infrastructures on which mobile
solutions are built are strongly different country
by country.
Many closed loop /proprietary solutions with no
pan-European acceptance involving different
technologies and infrastructures resulting in
interoperability issues -barrier for market
integration –customer confusion
Differentiation of technologies used and no
stable establishment of the most widely accepted
technologies (SE or HCE based, NFC, 2D
barcodes or SMS)
Technical complexity
Poor implementation guidelines and
specifications with a lot of room for different
choices make it a labour intensive and high
barrier for smaller banks with little expertise and
resources to start a project.
MB6 Complexity and security of mobile devices
Complexity of user interfaces
Change of behavior due to software updates
Solutions in the market are multiple, different
and not compatible with all mobile devices. This
may create confusion among users.
Firmware of mobile phones – lack of uniform
solution for all types of mobile devices
Insufficient security features for smart phones
and missing security standards for mobile
payments
Stability and security of mobile devices as a
platform
The security of secure elements of mobile
phones is still an unknown
Rooting (jailbreaking) of mobile phones
Increased malware in mobile devices
18,8 COOP
MB7 Specific standardisation needs for mobile payments
Time at check-out should be at least as fast as
with a card payment
Lack of standardisation in the payment initiation
message (e.g. 2D barcodes)
Lack of standards for the enrolling in digital
wallets.
The absence of standard procedures to
personalise card data into secure elements.
Multiple methods (no PIN, PIN at POI, mobile
code, fingerprint,…) leading to non-
interoperable solutions and consumer confusion
Co-existence of multiple MCP applications on #
SEs, cloud, HCE
10,4 COOP
2015-11-26 ERPB item 6 ERPB CTLP working group final report 53/66
MB8 Fragmentation: no central repository based on common
European standard (IBAN, mobile number, ...)
2,1 COOP
MB9 Lack of pan-European infrastructure for instant
payments
4,2 COOP
MB10 Increased risk compared to physical card based
transactions
Increasing consumer convenience for mobile
payments also increase risk due to less strong
authentication compared to card present EMV
transactions
2,1 COOP
MB11 Availability of mobile payments on accessible phones –
Accessibility of mobile payment solutions
10,4 COOP
MB12 Unnecessary or inappropriate regulatory interference in
the emerging and developing market the unintended
consequences of which may stifle innovation and
prevent participants bringing consumer focused services
to the market
Excessive regulation impacts more heavily smaller/new
players
6,3
MB13 A common regulatory and legal framework in mobile-
based, contactless proximity solutions is a necessary
prerequisite for the development of a pan-European
product offer.
2,1
Table 16: Additional barriers for mobile proximity payments
2015-11-26 ERPB item 6 ERPB CTLP working group final report 54/66
Annex 5: Legal and regulatory documents impacting mobile and card-
based contactless proximity payments in Europe
Reference Document Title Issued by:
[EU1] Dir. 95/46/EC
Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of
personal data and on the free movement of such data.
EU
[EU2] Dir.
2005/60/EC
Directive 2005/60/EC of the European Parliament
and of the Council of 26 October 2005 on anti-money
laundering and terrorist financing.
EU
[EU3] Dir
2007/64/EC
Directive 2007/64/EC of the European Parliament
and of the Council of 13 November 2007 on payment
services in the internal market.
EU
[EU4] Dir.
2009/110/EC
Directive 2009/110/EC of the European Parliament
and of the Council of 16 September 2009 on the
taking up, pursuit and prudential supervision of the
business of electronic money institutions amending
Directives 2005/60/EC and 2006/48/EC and
repealing Directive 2000/46/EC.
EU
[EU5]
Draft Directive of the European Parliament and of
the Council on the prevention of the use of the
financial system for the purpose of money laundering
and terrorist financing (first draft issued 5 February
2013).
EU
[EU6]] Draft PSD2 Draft Directive of the European Parliament and of
the Council on payments services in the internal
market and amending Directives 2002/65/EC,
2013/36/EU and 2009/110/EC and repealing
Directive 2007/64/EC.
EU
[EU7] Draft NIS
Directive
Draft Directive of the European Parliament and of
the Council concerning measures to ensure a high
common level of network and information security
across the Union (draft issued 07 Feb. 2013).
EU
[EU8] Reg.
1781/2006
Regulation (EC) No 1781/2006 of the European
Parliament and of the Council of 15 November 2006
on information on the payer accompanying transfers
of funds.
EU
[EU9] Reg. 924/2009 Regulation (EC) No 924/2009 of the European
Parliament and of the Council of 16 September 2009
on cross-border payments in the Community and
repealing Regulation (EC) No 2560/2001.
EU
[EU10] Reg. 260/2012 Regulation (EC) No 260/2012 of the European
Parliament and of the Council of 14 March 2012
establishing technical and business requirements for
credit transfers and direct debits in euro and
amending Regulation (EC) No 924/2009.
EU
[EU11] Reg. 2015/751 Regulation (EU) 2015/751 of the European
Parliament and of the Council of 29 April 2015 on
EU
2015-11-26 ERPB item 6 ERPB CTLP working group final report 55/66
interchange fees for card-based payment transactions.
[EU12] Draft Regulation the European Parliament and of the
Council on the protection of individuals with regard
to the processing of personal data and on the free
movement of such data (first draft issued 25 Jan.
2012).
EU
[EU13] Draft Regulation the European Parliament and of the
Council on information accompanying transfers of
funds ( first draft issued 5 February 2013).
EU
[EU14] COM(11) 941
final
Green Paper “Towards an integrated European
market for card, internet and mobile payments”.
EU
[ECB1] [ECB1] Draft SecuRe Pay Recommendations for the Security
of Mobile Payments.
ECB/
Eurosystem
[EN1] EN 16570
Information technology - Notification of RFID - The
information sign and additional information to be
provided by operators of RFID application systems
CEN
[EN2] EN 16571
Information technology - RFID privacy impact
assessment process
CEN
[EN3] EN 301549
Accessibility requirements suitable for public
procurement of ICT products and services in Europe
CEN /
CENELEC /
ETSI
[FCA1] TR14/15 Thematic Review 14/15 Mobile Banking and
Payments.
Financial
Conduct
Authority
UK
Table 17: Legal and regulatory documents
2015-11-26 ERPB item 6 ERPB CTLP working group final report
56/66
Annex 6: Technical and security reference documents related to mobile
and card-based contactless proximity payments
This annex lists the inputs received through the survey and the ERPB WG participants on various
documents related to contactless and mobile proximity payments from different standardisation and
industry bodies. These documents range from white papers, over specifications, guidelines, to test
documents.
The table below depicts on which topics the respective standardisation and industry bodies are mostly
active with respect to the mobile payment architecture.
Table 18: Mobile Payment Architectural Zones (courtesy EMVCo)
2015-11-26 ERPB item 6 ERPB CTLP working group final report 57/66
Reference Document Title Issued by:
[AXP1]
Expresspay Communication Layer American
Express
[AXP2]
Expresspay Card Specification
American
Express
[AXP3]
Expresspay Terminal Specification American
Express
[AXP4]
AXP Contactless NFC Terminal
Implementation Guide
American
Express
[AXP5]
Expresspay Issuer Mobile Implementation
Guide
American
Express
[AXP6]
Contactless Brand Guidelines – English American
Express
[AXP7]
Expresspay Mobile HCE Specifications American
Express
[AXP8]
Mobile InforGraphic American
Express
[CH1]
HCE and SIM Secure Element – It’s not black
and white
Consult Hyperion
[CTAP]
C-TAP specifications for the terminal to
acquirer interface
Acquiris
[DNF1]
Guideline for user-friendly payment terminals Dutch National
Forum on the
Payment System
[EAN1]
Towards a better payment experience Eye Association
Netherlands
[EBA1]
Opinion Paper on Next Generation
Alternative Retail Payments: User
Requirements
European
Banking
Association
[EBU1]
Access to card, internet, and mobile payments
for people with sight loss
European Blind
Union
[EMV1]
EMV Integrated Circuit Card Specifications
for Payment Systems
EMVCo
[EMV2]
EMV Contactless Specifications for Payment
Systems, Book A: Architecture & General
Remarks
EMVCo
[EMV3]
EMV Contactless Specifications for Payment
Systems, Book B: Entry Point
EMVCo
[EMV4]
EMV Contactless Specifications for Payment
Systems, Books C1 – C7: Kernel
Specifications
EMVCo
[EMV5]
EMV Contactless Specifications for Payment
Systems, Books D: Contactless
Communication Protocol
EMVCo
[EMV6]
EMVCo Contactless Mobile Payment
Architecture Overview
EMVCo
[EMV7]
EMVCo Handset Requirements for
Contactless Mobile Payment
EMVCo
[EMV8]
EMV Contactless Mobile Payment -
Application Activation User Interface
EMVCo
2015-11-26 ERPB item 6 ERPB CTLP working group final report 58/66
[EMV9]
EMVCo Mobile Contactless - EMV Profiles
of GlobalPlatform UICC Configuration
EMVCo
[EMV10]
EMV Payment Tokenisation Specification –
Technical Framework
EMVCo
[EMV11]
EMVCo Card and Mobile Testing Framework
for Contactless
EMVCo
[EMV12]
EMVCo White Paper on Mobile Security Use
Cases and Best Practices
EMVCo
[EMV13]
EMVCo White Paper on Contactless Mobile
Payments
EMVCo
[EMV14]
EMVCo Handset Requirements for
Contactless Mobile Payment
EMVCo
[EMV15] SB 94
Aligns the Kernel Identifier Tag and corrects
the Contactless Protocol Parameter Profile
Values and the Class byte for the PUT
TEMPLATE, GET TEMPLATE and SET
MODE commands
EMVCo
[EMV16]
SB 119
Clarifies Group Member CREL and FCI
contactless characteristic declarations,
clarifies behavior related to Length of Base
AID and corrects the content of the returned
PPSE version
EMVCo
[EMV17] SB129
Clarifies the Use of Internal Mode for PPSE
with GlobalPlatform-based Secure Elements
EMVCo
[EMV18] SB142
User Interaction Parameters for Installation of
Contactless Mobile Payment Applications
EMVCo
[EMV19] SB150 Support of extended logical channels EMVCo
[EMV20] Mobile Type
Approval Bulletin
nº5
UICC–Test Kit Availability To Product
Providers
EMVCo
[EMV21] Mobile Type
Approval Bulletin
nº7
Mobile Level 1 Test Applet Requirements EMVCo
[EMV22] Mobile Type
Approval Bulletin
nº9
Contactless Level 1 November Release
Version 2.4a
EMVCo
[EMV23] Mobile Type
Approval Bulletin
nº10
Mobile Product - EMV Contactless Level 1
Test Assessment
EMVCo
[EMV24] Mobile Type
Approval Bulletin
nº11
Mobile Product – CMP PPSE Applet Type
Approval Process
EMVCo
[EMV25] Mobile Type
Approval Bulletin
nº12
Mobile Level 1 Testing - Operating Volume EMVCo
[EMV26] Mobile Type
Approval Bulletin
nº13
Testing availability for products supporting
EMV Contactless Communication Protocol
Specification v2.5
EMVCo
[EMV27]
EMV Next Generation Kernel System
Architecture Overview
EMVCo
2015-11-26 ERPB item 6 ERPB CTLP working group final report 59/66
[EPAS1] EPAS Retailer
Protocol
EPAS Sale to POI Protocol Specifications ePAS
[EPAS2] EPAS TSM
Protocol
EPAS TMS Protocol Message Usage Guide ePAS
[EPAS3] EPAS Acquirer
Protocol
EPAS Acquirer Protocol Message Usage
Guide
ePAS
[EPAS4] EPAS Protocols
Security
EPAS Card Payment Protocols Security ePAS
[EPC1]
EPC 020-08
SEPA Cards Standardisation "Volume" Book
of Requirements
Book 1: General
Book 2: Functional Requirements
Book 3: Data Elements
Book 4: Security
Book 5: Conformance Verification
Procedures
Book 6: Implementation Guidelines
EPC / CSG
[EPC2]
EPC 220-08
Mobile Contactless Payments Service
Management Roles - Requirements and
Specifications
EPC / GSMA
[EPC3] EPC 492-09 White Paper Mobile Payments EPC
[EPC4] EPC 178-10
Mobile Contactless SEPA Card Payments
Interoperability Implementation Guidelines
EPC
[EPC5] EPC 163-13 White Paper Mobile Wallet Payments EPC
[ETSI1]
ETSI TS 102 588 Technical Specification Smart Cards;
Application invocation API by a UICC Web
Server for Java Card Platform
ETSI
[ETSI2]
ETSI TS 102 622 Smart Cards; UICC – Contactless Front-end
(CLF) interface; Host Controller Interface
(HCI)
ETSI
[ETSI3]
ETSI TS 102 613 Smart Cards; UICC-CLF Interface; Physical
and Data Link Layer Characteristics
ETSI
[ETSI4]
ETSI TS 102 705 Smart Cards; UICC Application
Programming Interface for Java card for
Contactless Applications
ETSI
[GIRO1]
Ergonomie-Studie zum kontaktlosen
Bezahlen
Girocard /
Fraunhofer
[GP1]
GPC_SPE_034
Card Specification
GlobalPlatform
[GP2]
GPC_SPE_007
Card Specification Amendment A:
Confidential Card Content Management
GlobalPlatform
[GP3]
GPC_SPE_025
Card Specification - Amendment C:
Contactless Services
GlobalPlatform
[GP4]
GPC_SPE_042
Card Specification - Amendment D: Card
Secure Channel Protocol “03”
GlobalPlatform
[GP5] GPC_SPE_092
Card Specification - Amendment E: Security
upgrade for card content management
GlobalPlatform
[GP6] GPC_SPE_093 Card Specification - Amendment F: Card GlobalPlatform
2015-11-26 ERPB item 6 ERPB CTLP working group final report 60/66
Secure Channel Protocol “11”
[GP7]
GPS_SPE_002
GP Messaging configuration for management
of mobile-NFC Services
GlobalPlatform
[GP8]
GPC_GUI_010
UICC Configuration
GlobalPlatform
[GP9]
GlobalPlatform’s Proposition for NFC
Mobile: Secure Element Management and
Messaging (White Paper)
GlobalPlatform
[GP10]
GPC_SPE_031
Composition Model
GlobalPlatform
[GP11]
GP_REQ_004
Requirements for NFC Mobile: Management
of Multiple Secure Elements
GlobalPlatform
[GP12] GPD_SPE_009 TEE System Architecture
GlobalPlatform
[GP13] A secure solution for deploying value-added
mobile services
GlobalPlatform
[GP14] White paper: Leveraging GlobalPlatform to
improve security and privacy in the Internet-
of-Things
GlobalPlatform
[GSMA1] Pay-Buy-Mobile
Initiative
Requirements for Single Wire Protocol NFC
Handsets
GSMA
[GSMA2] NFC Technical Guidelines White Paper GSMA
[GSMA3] Pay-Buy-Mobile
Initiative
Pay-Buy-Mobile Business Opportunity
Analysis White Paper
GSMA
[GSMA4] NFC UICC Requirements Specification GSMA
[GSMA5] NFC Handset APIs & Requirements GSMA
[GSMA6] White Paper: The Mobile Wallet GSMA
[GSMA7] NFC Core Wallet Requirements GSMA
[GSMA8] The New Mobile Payments Landscape GSMA
[GSMA9] TS.26 NFC Handset Requirements GSMA
[GSMA10] TS.27 NFC Handset Test Book GSMA
[GSMA11] Mobile Payment Security - Discussion paper GSMA + UL
[GSMA12] HCE and Tokenisation for Payment Services -
Discussion paper
GSMA / Consult
Hyperion
[ISO1]
ISO/IEC 7813
Information technology - Identification cards
-Financial transaction cards
ISO
[ISO2]
ISO 8583-1
Financial transaction card originated
messages - Interchange message
specifications - Part 1: Messages, data
elements and code values
ISO
[ISO3] ISO 8583-2 Financial transaction card originated
messages - Interchange message
specifications - Part 2: Application and
registration procedures for Institution
Identification Codes (IIC)
ISO
[ISO4]
ISO 9564-1
Financial services - Personal Identification
Number (PIN) management and security -
Part 1: Basic principles and requirements for
card-based systems
ISO
2015-11-26 ERPB item 6 ERPB CTLP working group final report 61/66
[ISO5] ISO 9564-2 Financial services - Personal Identification
Number (PIN) management and security -
Part 2: Approved algorithms for PIN
encipherment
ISO
[ISO6] ISO/DIS 12812-1 Core banking - Mobile Financial Services -
General Framework - Part 1: General
Framework
ISO
[ISO7] ISO/DIS 12812-2
Core banking - Mobile Financial Services -
General Framework - Part 2: Security and
Data Protection
ISO
[ISO8] ISO/DIS 12812-3
Core banking - Mobile Financial Services -
General Framework - Part 3: Financial
Application Lifecycle Management
ISO
[ISO9] ISO/DIS 12812-4
Core banking - Mobile Financial Services -
General Framework - Part 4: Mobile
Payments to Persons
ISO
[ISO10] ISO/DIS 12812-5
Core banking - Mobile Financial Services -
General Framework - Part 5: Mobile
Payments to Businesses
ISO
[ISO11] ISO/IEC 14443-1
Identification cards - Contactless integrated
circuit(s) cards - Proximity cards – Part 1:
Physical characteristics
ISO
[ISO12] ISO/IEC 14443-2
Identification cards - Contactless integrated
circuit(s) cards - Proximity cards - Part 2:
Radio frequency power and signal interface
ISO
[ISO13] ISO/IEC 14443-3 Identification cards - Contactless integrated
circuit(s) cards - Proximity cards - Part 3:
Initialisation and anti-collision
ISO
[ISO14] ISO/IEC 14443-4 Identification cards - Contactless integrated
circuit(s) cards - Proximity cards - Part 4:
Transmission protocol
ISO
[ISO15] ISO/IEC 15408-1 Information technology - Security Techniques
- Evaluation criteria for IT security - Part 1:
Introduction and general model
ISO
[ISO16] ISO/IEC 15408-2 Information technology - Security Techniques
– Evaluation criteria for IT security - Part 2:
Security functional components
ISO
[ISO17] ISO/IEC 15408-3 Information technology - Security Techniques
– Evaluation criteria for IT security - Part 3:
Security assessment components
ISO
[ISO18] ISO/IEC 18004 Information technology -- Automatic
identification and data capture techniques --
QR Code 2005 bar code symbology
specification
ISO
[ISO19] ISO/IEC 18092 Information technology —
Telecommunications and information
exchange between systems — Near Field
Communication — Interface and Protocol
(NFCIP-1)
ISO
[ISO20] ISO 20022-1 Financial Services – universal financial ISO
2015-11-26 ERPB item 6 ERPB CTLP working group final report 62/66
industry message scheme – Part 1:
Metamodel
[ISO21] ISO 22022-2
Financial Services – universal financial
industry message scheme – Part 2: UML
Profile
ISO
[ISO22] ISO 22022-3
Financial Services – universal financial
industry message scheme – Part 3: Modelling
ISO
[ISO23] ISO 22022-4
Financial Services – universal financial
industry message scheme – Part 4: XML
schema generation
ISO
[ISO24] ISO 22022-5
Financial Services – universal financial
industry message scheme – Part 5: Reverse
engineering
ISO
[ISO25] ISO 22022-6
Financial Services – universal financial
industry message scheme – Part 6: Message
transport characteristics
ISO
[ISO26] ISO 22022-7
Financial Services – universal financial
industry message scheme – Part 7:
Registration
ISO
[ISO27] ISO 22022-8
Financial Services – universal financial
industry message scheme – Part 8: ASN.1
generation
ISO
[ITU-T1] ITU-T Y.2741 Recommendation ITU-T Y.2741:
Architecture of secure mobile financial
transactions in next generation networks
ITU-T
[MC1] M/Chip Mobile Specification MasterCard
[MC2]
MasterCard Cloud-Based Payments
1.
MasterCard Cloud-Based Payments-
Product Description
2.
MasterCard Cloud-Based Payments-
Mobile Payment Application-
Functional Description
3.
MasterCard Cloud-Based Payments-
Credentials Management System-
Functional Description
4.
MasterCard Cloud-Based Payments-
Transaction Management System-
Functional Description
MasterCard
[MC3] MasterCard Contactless Reader Specification MasterCard
[MC4] M/Chip Advance Card Specification MasterCard
[MC5]
PayPass-M/Chip 4 Card Application
Specification
MasterCard
[MC6]
M/Chip Requirements for Contact and
Contactless
MasterCard
[MC7]
Contactless Personalisation Data
Specifications
MasterCard
[MC8]
M/Chip Advance Personalisation Data
Specifications
MasterCard
[MC9] M/Chip Card Personalisation Standard
Profiles
MasterCard
2015-11-26 ERPB item 6 ERPB CTLP working group final report 63/66
[MC10] MasterCard Contactless Kernel Configuration MasterCard
[MF1] White Paper - Alternatives for Banks to offer
Secure Mobile Payments
MobeyForum
[MF2] White Paper - Business models for NFC
payments
MobeyForum
[MF3] Mobile wallet
Part 1 - Definitions and Visions
Part 2 - Control Points in the Mobile
Wallet
Part 3 - The Hidden Controls
Part 4 - Structure and Approaches
Part 5 – Strategic Options for Banks
MobeyForum
[MF4] The Host Card Emulation in Payments –
Options for Financial Institutions
MobeyForum
[MF5] NFC Mobile Payments - An Industry
Snapshot
MobeyForum
[MF6] A Series of White Papers on NFC Security
Part 1: A Security Analysis of NFC
Implementation in the Mobile Proximity
Payments Environment
MobeyForum
[OSC1] OSCar Functional scope OSCar
[OSC2] OSCar POS integration specification for
SEPA compliant terminals
OSCar
[OSC3] OSCar test and certification policy_v1.0 OSCar
[PCI1] Payment Card Industry Point of Interaction
(POI) Modular Security Requirements
PCI
[PCI2] Payment Card Industry PIN Security
Requirements
PCI
[PCI3]
PCI DSS Payment Card Industry Data Security
Standard
PCI
[PCI4]
PCI PA-DSS Payment Card Industry Payment Application
Data Security Standard
PCI
[UKC1]
White Paper:
Requirements to Achieve Scalable Rollout of
Mobile Contactless Payments in the UK
The UK Cards
Association /
Consult Hyperion
[UKC2]
NFC Steering Board: POI Etiquette The UK Cards
Association
[UKC3]
Report: Mobile Contactless Payments
Specification Summary
The UK Cards
Association /
Consult Hyperion
[VISA1] VCPS Visa Contactless Payment Specifications Visa
[VISA2]
Visa Contactless Reader Implementation
Notes
Visa
[VISA3] VMCPS Visa Mobile Contactless Specifications Visa
[VISA4] Visa Multi-Access Specification for VMPA Visa
[VISA5]
Visa Cloud-based Payments Minimum
Requirements and Guidelines
Visa
[VISA6]
Visa Cloud-based Payments Contactless
Specifications
Visa
2015-11-26 ERPB item 6 ERPB CTLP working group final report 64/66
Table 19: Technical and security reference documents
2015-11-26 ERPB item 6 ERPB CTLP working group final report 65/66
Annex 7: Country profiles
Annex 7.1 Poland
The profile for Poland has been provided by PKO Bank Polski (click on the icon to open the
document).
ERPB CTLP 74-15
Poland Market Conta
c
Annex 7.2 UK
The profile for the UK has been provided by the UK Cards Association (click on the icon to open the
document).
ERPB CTLP 67-15 UK
Market Contactless A
d
2015-11-26 ERPB item 6 ERPB CTLP working group final report 66/66
Annex 8: Impact analysis of IF Regulation on contactless payments
This annex contains the impact analysis of the IF Regulation on contactless payments which has been
conducted over the past months by a dedicated team of the Cards Stakeholders Group (click on the
icon to open the document).
CSG 174-15 v0.4
Transcript Pres CSG 0
End of Document
