DECODING DIGITAL
PAYMENTS
Methods and Technology Landscape
Santosh S. Potadar
Samtosh.potadar@gmail.com
Abstract
The document is an attempt to give insights into digital payments space on the whole. It
describes the different payment scenarios or methods and how the underlying technology
works.

Introduction
Payments and downstream clearing & settlement is at
the heart of commerce. We have seen evolution of
payment instruments from bartering, centuries ago, to
digital payments in today’s digital era. There has never
been so easier access to your money on the go. The
ubiquitous mobile phone has already made inroads deep
into this space.
Following is an attempt to decode payments by looking at different payment methods,
technologies involved and some of the popular and widely accepted payment solutions revolving
around mobile payments, digital wallets.
This writing is a high level techno functional document that should give some insights into digital
payments space.
Payment Methods
Remote Payments – Payments that are made from distance where payer and payee are not
face to face. Primarily such payments happen through channels like mobile native app wallets,
digital wallets over mobile browser or web browser, and through payment gateways that accept
payment instruments like credit, debit cards, NetBank account, and in some geographies digital
cheques.

Proximity Payments – Payment made where payer and payee are in the vicinity or face to face
however the payment card (contactless payment instrument) may be few inches away from
accepting terminal. The payment instrument may also be in direct contact with the accepting
terminal e.g. contact cards.
Digital wallets / mobile wallets and cards are one of the key instruments used for payments.
However, globally, predominantly mobile payments is on the rise. There are about 6.5 billion
mobile subscriptions out of which there are over 5 billion active mobile users. There were about
245 million mobile payment users in 2013 and Juniper Research predicts that this number will
almost double to 450 million mobile payment users and according to Statista volume will grow
to 721 billion dollars by 2017. Australian banks reported that due to their adoption of NFC
technology the contactless payments increased from 10% to 60% in 2013. According to World
Payment Report 2014 the mobile payments to grow by 60% in 2015.
Technology Landscape:
More or less, be it contact or contactless payment, the ecosystem uses among set of technologies
as shown below. For instance, the mobile payments, a form of contactless payment when used
in proximity scenario, may use NFC, SE, HCE, Tokenization, Cryptography etc in its solution
ecosystem driven by specifications like EMV.

Different Types of payment chip cards:
The discussion won’t be complete
without the mention of types of
chip cards that are used in day to
day life.
Payment cards are categorized
into contact, contactless card and
dual interface. The contact chip
cards have to come in physical
contact with accepting terminal.
The way card interacts with
terminal is governed by the EVM
specifications, which have become
global standard for chip card
technology.
a. What is EMV? – EMV is global set of standards, specifications for credit and debit payment
chip card technology. (Europay, MasterCard, Visa). The specifications are managed by

EMVCo. EMVCo is an organization first established by Europay, MasterCard, and Visa. The
primary purpose was to globally standardize requirements for interoperability and
acceptance of cards by card readers/accepting terminals.
The top reason why EMV cards are so widespread is the fact that it significantly enhances the
security in transaction with added functionality in main areas like Card Authentication,
Cardholder Authentication and Transaction Authorization, thus reducing the frauds
emanating from counterfeit, and stolen or lost cards.
Globally, 32% of transactions are EMV. There are over 2 billion EMV cards in use and more
than 35 million EMV PoS machines deployment around the world.
b. What is EMV Chip? – As shown in the figure the chip is small rectangular micro-controller
processing unit embedded in plastic card. One of the features of this chip is there is a
payment application resident in the chip. (http://www.smartcardbasics.com/smart-card-
types.html)
c. COS Chip Operating System
The card operating system is hardware specific firmware that provides basic functionality to
applications, like access to on-card memory, authentication and encryption. The COS is a
sequence of instructions embedded onto ROM of smart card. Most applications make use of
these instructions
Two primary types of COS: a) General purpose COS and b) dedicated COS. Dedicated COS has
commands specifically designed for applications. Typically, the issuer has to stick with one
application developer, operating system and the chip when they come up with a chip based
card product like credit card, debit card, travel card with pre-loaded money etc.

However, the trend
now is multi-
application cards.
JavaCard and MULTOS
are the most popular
COSs with the bigger
market exposure.
(Source: http://www.cardwerk.com/smartcards/MULTOS/)
d. Standards
ISO/IEC 7816, ISO/IEC 14443 are the primary standards for smart cards. ISO/IEC 7816 is a multipart
(about 15 in total) international standard for contact and contactless smart cards. Each part of this
protocol focuses on specific area of complete card. For example, ISO/IEC 7816-1 talks about Card with
Contacts – Physical characteristics. 7816-2 specifies dimensions and location of contacts, 7816-3
specifies electrical interface and transmission protocols and so on and so forth.
ISO/IEC 14443 is a four part international standard for contactless smart cards operating at 13.56 MHz
for proximity payments at distance less 10cm. Similar to 7816, each part of 14443 specifies certain areas
and aspects of contactless cards. For example, 14443-Part 1 describes the physical characteristics of
cards, 14443-Part 2 describes the radio frequency power and signal interface, 14443-Part 3 describes
the initialization and anti-collision provisions and 14443-Part 4 describes the transmission protocol
requirements.
What is the difference between ISO/IEC 7816 and EMV standards?
The EMV Chip Specifications are based on, and are a subset of, the requirements in the ISO/IEC
7816 series of standards. EMV is implementation oriented, simplified specification. According to
EMVCo, if there are any differences in documents the EMV specification takes the precedence.
What is difference between ISO/IEC 14443 and NFC standards?
ISO/IEC 14443 is a four part standard for contactless smart cards. There are three types of
contactless cards Type-A, Type-B and Type-F. The difference is primarily in the part 2 of specification
where the RF modulation (signaling method) is different for different types.
The actual underlying governing international standard for NFC is ISO/IEC 18092 driven by NFC forum
and based on ISO/IEC 14443. ISO/IEC 18092 includes two communication modes viz active and passive
(peer-to-peer and NFC tags). There are 3 modes of operations within two modes of communication in
ISO/IEC 18092:
1. Read/Write
2. Peer to Peer
3. Card Emulation

There are many mobile payment solutions out there. The few innovative and disruptive ones
have been described in following sections.
Apple Pay How does it work?
In October 2014, with the roll out of iPhone 6
and 6 plys Apple also launched a payment and a
digital wallet service based on NFC, SE (Secure
element) technology. Apple nicely leveraged
and integrated the existing passbook, iTunes
and Touch ID services into a payment
ecosystems that is being adopted at very fast
pace. Apple Pay is being seen as game changers
in mobile payments space as it is easier to use for consumers and easier to set up for merchants.
The best innovative part is that there is no intervention of MNOs (mobile network operators)
required and it works with existing contactless payment terminals like MasterPass, Visa PayWave
etc. There is significant reduction in complexities due to the fact that secure element (SE) is not
SIM based but within phone hardware itself thus nullifying the need for integrating with MNO
payment infrastructure. The secure element is where tokenized information of card credentials
stored.

Apple has not yet published its Apple Pay implementation details. However based on some
research and their press release here is how the underlying technology works.
1. User adds the card in Passbook or iTunes. Passbook for iPhone will also allow users to use
iSight camera to capture card and add information. The default card is generally the first
card that is added. Apple Pay can be used in remote payment scenario as it can be
integrated with iPhone apps using the APIs. It can also be used in “tap and pay”
contactless scenario. The contactless tap and pay payment only works on iPhone 6 and 6
plus.
2. Apple says that they don’t store any card payment information like PAN or any other
credentials in cloud. So question is how transaction happens if no card details are stored.
Here is the innovative part. Apple provisions a Token for the card in the secure element
(SE) of the phone. Who gives a Token for card information? How it is provisioned in SE?
Well, the way it is done is like: Once the card is entered manually or through Passbook
iSight camera the PAN details are sent over to Apple servers, from there they get sent to
payment networks such as MasterCard, Visa or AMEX. The payment network returns
token and along with it a token key. Apple Pay is token requester (TR) and payment
networks are Tokenization Service Providers (TSP). Payment networks return the token
only when a request to card issuer for identification and verification of card is successful.
3. Apple Pay uses EMVCo contactless specification. When user taps the iPhone on
contactless NFC terminal the NFC triggers the SE. The SE in phone generates a dynamic
cryptogram using combination of token, token key, amount and other transaction details.
This token, dynamic cryptogram and other details are sent to terminal. All this interaction
happens in compliance with EMVco contactless specification.
4. Once the contactless terminal accepts this information the authentication, authorization
process kicks in. The terminal sends this data to acquirer for verification. Acquirer passes
this onto payment network. Payment network identifies the data sent as tokenized PAN
and sends it to its TSP (token service provider) for de-tokenization. The PAN obtained
after de-tokenization is passed onto issuer for authorization. Issuer does authorization
based on customer card and account status. After authorization, information flows back
to terminal for printing the receipt.

Google Wallet How does it work?
Google wallet is a digital/mobile wallet. Google’s aim is to have everything in digital wallet that
you typically keep in your physical wallet: credit,
debit cards, loyalty cards, coupons, tickets, gift
cards etc.
Google has released 3 version of its wallet
service, the latest one being 3.0 which was
released along with Android KitKat (4.4). With
this release Google introduced what it is called a
Host Card Emulation technology for mobile
payments. With this release google has officially
ended support for physical device SE in google wallet application.
http://www.nfcworld.com/2014/03/17/328326/google-wallet-ends-support-physical-secure-
elements/
Google has confirmed its move to HCE: “Host card emulation allows Android applications to
communicate directly over NFC on supported devices with Android 4.4 KitKat. When you tap your
phone to pay, HCE enables Google Wallet to pass transaction information to the point-of-sale
terminal to complete your transaction. Devices that are running older operating systems may no
longer support Google Wallet’s tap-and-pay feature”
Google Wallet too is compliant with EMVCo contactless specification therefore like Apple Pay
there is no need of Google Wallet specific terminal infrastructure.
What does HCE work?
Users add credit, debit cards payment method
onto google wallet account either through web
interface or through mobile app. What happens
when a card is added to wallet? Where is it stored?
Is it really stored anywhere? Yes, unlike ApplePay,
Google Wallet stores card details or payment
credentials in their secure cloud servers. Secure
cloud is new secure element in this ecosystem.
Earlier two versions of Google wallet were solely
using device based SE (either UICC or embedded
device SE or SD card based SE). The NFC controller
based on its “AID routing” mechanism directs the NFC communication to either HCE or SE.

The figure summarizes how NFC controller redirects the communication from reader to either SE
or to host CPU for HCE transaction.
In HCE transaction a host operating system (like Android) and an app running on it is involved.
The app may have user interface but in turn it uses HCE service on host operating system. From
security perspective HCE app on host OS does not store any card credentials. Instead, HCE app in
real-time or at pre-set frequency connects with cloud before each transaction to fetch a limited
validity Token or dynamic data for provisioning into the HCE app. This dynamic data is sent to
contactless terminal when phone is tapped on terminal. This method is called Tokenization with
cloud storage. There is also a method, cloud storage without tokenization where actual card
credentials are retrieved from cloud which are then passed onto contactless terminal during the
transaction. However this method is least secure. Google in March 2015 announced a revamped
version of google wallet called AndroidPay.
In a nutshell, Mobile payments will be here to stay with new innovations coming into play day by
day. Future looks bright for NFC, contactless payments as it has already gone beyond mobile
payments into payments through wearables. As Internet of Things (IoT) or Internet of Everything
evolves, it could bring in business models that would require payments. This in itself would be an
immense untapped opportunity to look forward to.