Chapter 76 Emerging Technologies for User-Friendly Mobile Payment Applications

Vibha Kaw Raina

Birla Institute of Technology, India

ABSTRACT

The advancement and the evolution of mobile communications and mobile device technology have led to a remarkable growth and tremendous requirement for mobile applications that are carried on mo­bile phones.

1. INTRODUCTION

The essence of mobile technology revolves around the idea of reaching customers, suppliers, and employees regardless of where they are located. Mobile technologies are about delivering the right information to the right place at the right time. It gives users the ability to access the Internet from any location at any time, the capability to pinpoint an individual mobile terminal user’s location, the functionality to access information at the point of need, and a need-based data/information update capability. A mobile technology is not just evolu­tion of communication technologies but combines

DOI: 10.4018∕978-1-4666-6268-1.ch076 the advantages of mobile communications with ex­isting electronic communications services. There are some specific attributes of mobile technology, such as mobility, reachability etc. Mobile technol­ogy is a broad category that includes all devices, protocols and infrastructures that allow one to communicate, interact and exchange data with an individual or system anywhere and anytime.

.

less devices makes it possible for people to be contacted anytime and anywhere and provides users with the choice to limit their reachability to particular persons or times. Mobile commerce has 4.

features not available to traditional e-commerce.

In addition to reachability and mobility others feature are described as follows:

1. Ubiquity: It is the primary advantage of

mobile telephony. U sers can get any informa- 5.

tion that they are interested in, whenever they

want regardless of their location, through Internet-enabled mobile devices. In mobile applications, users may be engaged in activi- 6.

ties, such as meeting people or travelling, while conducting transactions or receiving information. In this sense, mobile commu­nications makes a service or an application available wherever and whenever such a need arises.

2. Localization: The knowledge of the user’s physical location at a particular moment also adds significant value to mobile com­merce. With location information available, many location-based applications can be provided. For example, with the knowledge 7. of the user’s location, the mobile service

will quickly alert him/her when his or her friend or colleague is nearby. It will also help the user locate the nearest restaurant or ATM. Positioning technologies, such as the Global Positioning System (GPS), allow 8.

companies to offer goods and services to the user specific to his current location. Location based services can be, thus, offered to meet consumers’ needs and wishes for localised content and services.

3. Personalization: An enormous number of information, services, and applications are currently available on the Internet, and the relevance of information users receive is of great importance.

can be personalized to represent information or provide services in ways appropriate to a specific user.

Dissemination: Some wireless infrastruc­tures support simultaneous delivery of data to all mobile users within a specific geo­graphical region. This functionality offers an efficient means to disseminate information to a large consumer population.

Flexibility: Users of mobile devices should be able to engage in activities such as, receiv­ing information, and conducting transactions with ease.

Immediacy: Closely related to the feature of ubiquity is the possibility of real time avail­ability of services. This feature is particularly attractive for services that are time-critical and demand a fast reaction, e.g. stock market information for a broker. Additionally, the consumer can buy goods and services, as and when he feels the need. The immediacy of transaction helps to capture consumers at the moment of intention so that sales are not lost in the discrepancy between the point of intention and that of the actual purchase. Instant Connectivity: With the introduction of the General Packet Radio Service (GPRS) mobile devices are constantly online, i.e. in touch with the network. This feature brings convenience to the user, as time-consuming dial-up or boot processes are not necessary. Pro-Active Functionality: A mobile appli­cation opens, by the virtue of its ability to be immediate, local and personal, new avenues for push-marketing, such as content and prod­uct offers. Services like Opt in advertising can be offered, so that a user may choose the products, services and companies, which he wants to be kept informed about. The Short Message Service (SMS) can be used to send brief text messages to consumers informing them of relevant local offerings that best suit their needs. This feature ensures that the relevant information can be provided to the

user at the right place, at the right time.

9. Simple Authentication Procedure: Mobile

telecommunication devices function with an electronic chip called Subscriber Identity Module (SIM). The SIM is registered with the network operator and the owner is thus unambiguously identifiable. The clear iden­tification of the user in combination with an individual Personal Identification Number (PIN) makes any further time-consuming, complicated and potentially inefficient au­thentication process redundant.

2. BACKGROUND

Fourati et al. (2002) proposed an approach combin­ing the SET protocol with the TLS/WTLS proto­cols in order to enforce the security services over the WAP 1.X for the payment in the m-commerce. The authors implemented the additional services of the SET protocol as the confidentiality of the payment information between the buyer and the payment gateway and the data integrity. In the proposed approach WTLS certificates are used instead of SET certificates. This allows avoid­ing the SET certification heaviness. Moreover, this approach eliminates the WAP gap since the payment information would not be decrypted within the WAP gateway or within the seller side. Long and et al. (2003) discussed the unique challenges of securing the financial Services and suggest several technologies that can meet these technologies. The Internet has changed the way many people trade stocks by bringing up-to-date market information and do it yourself trading to average investors. Wireless connectivity and Web services play essential roles in meetings such de­mands, offering financial traders unprecedented convenience, choices and speed in accessing the dynamic financial information they need to make real time decisions. These improvements benefit the whole market by increasing liquidity and reducing information asymmetry, a condi­tion when critical information is known only to some traders, rather than to all participants in the stock market.

3. WIRELESS APPLICATION PROTOCOL (WAP)

The Wireless Application Protocol (WAP) is an effort to make Internet available to mobile phones and similar devices, which are communicating over a wireless network. It is designed to use as much as possible of existing technologies, with the World Wide Web as the main component. Other important factors in the protocol design are the differences between desktop computers and handheld devices. Examples of such differ­ences are the limited power, display and input capabilities. Since WAP is using the Web, the service providers do not need to buy new servers or any other hardware devices at all.

3.1. WAP Architecture

The WAP protocol is designed to use as much of existing technologies and standards as possible. There are three major parts of a WAP enabled system (Figure 1):

• WAP Gateway

• HTTP Web Server

• WAP Device

A browser in the WAP device communicates with a WAP gateway (or proxy) connected to the Internet. The gateway translates requests from the WAP protocol stack to the WWW protocol stack (HTTP and TCP/IP) and vice versa. Since all communication between the gateway and the WAP client is binary encoded to reduce network traffic, the gateway also encodes and decodes all messages respectively. When the browser sends a request the gateway decodes it to plain text and then forwards the request to the Web-server containing the desired content. In this way a content provider

Figure 1. WAP model

only needs to add a few content types to the Web server to enable WAP services to be developed since the user of the WAP device is always con­nected to the same gateway. This leads to the fact that WAP uses the same naming model as Web applications to point out content on remote serv­ers by using URLs. The standard content formats used by WAP applications is based on WWW technology including a Markup language called Wireless Markup Language (WML), calendar information, a scripting language by the name WMLScript and so forth.

When a server replies, the desired content is sent to the gateway. The gateway encodes the information into the binary form of WML it uses for the communication with the WAP device. The binary encoding compresses the tags and the header information of the WML document. Each tag in the document is replaced by a two-byte value, i.e. no more data than a single character. The textual content is not compressed but all un­necessary spaces and line breaks are removed. This saves both bandwidth on the communication channel and power on the client. WAP Applica­tions reside on the Web Server so no software has to be installed on the mobile device. Encryption and authentication are provided through Wireless Transport Layer Security (WTLS). This security is based on Transport Layer Security and SSL. The encryption options are DES and 3DES. The overall architecture of WAP is layered, and is shown in next section.

3.2. WAP Protocol Stack

WAP is designed in a layered fashion so that it can be extensible, flexible, and scalable. The WAP protocol stack is divided into five layers:

• Application Layer (WAE)

• Session Layer (WSP)

• Transaction Layer (WTP)

• Security Layer (WTLS)

• Transport Layer (WDP)

3.2.1. Wireless Application Environment (WAE)

The Wireless Application Environment (WAE) is the uppermost layer in the WAP protocol stack. It combines World Wide Web and mobile telephony technologies and the effort is to provide a common environment for operators and service providers. The WAE is divided in two logical layers, one for user agents and one for services and formats. The first layer is for user agents, e.g. browsers, phonebooks and message editors. In the second layer, there are different elements available such as WML, WMLScript, image formats, card and calendar formats and so forth. Those services and formats are accessible to and used by the different user agents.

3.2.2. Session Layer: Wireless Session Protocol (WSP)

The session layer offers two interfaces for the WAE. A connection-oriented service operates above the transaction layer protocol and a connectionless service that operates above a secure or non secure datagram service. The connection-oriented service provides a session between the client and a WAP gateway or proxy. It handles capability negotiation and communication interrupts, such as change of bearer. There is support for asynchronous requests and answers can be handled unordered. The con­nectionless service is basically a thin layer used by the WAE when there is no need for a reliable transaction of data. WSP is optimized for low bandwidth bearer networks. The wireless session protocols currently consist of services suited for browsing applications named WSP/B. WSP/B is designed to allow a WAP proxy to connect a WAP client to a standard HTTP server and provides HTTP/1.1 functionality and semantics in a compact over the- air encoding. The service is assumed to be a long-lived session that can be suspended and resumed at a later time without any need for a new capability negotiation, which results in less traffic. With the release of WAP/1.2 a function for both reliable and unreliable data push is fully included in the protocol.

3.2.3. Transaction Layer: Wireless Transaction Protocol (WTP)

WTP runs on top of a datagram service and pro­vides a lightweight transaction-oriented protocol that is suitable for mobile phones. It operates over secure or non secure wireless datagram networks and is a reliable way of communication with the ability to retransmit lost messages and avoid du­plication. The communication sequence is only alive during the exchange of an individual mes­sage and therefore there is no relation between different messages.

3.2.4. Security Layer: Wireless Transport Layer Security (WTLS)

WTLS provides a transport layer security between the WAP client and the WAP Gateway/Proxy. It is based upon the industry standard Transport Layer Security (TLS) protocol, formerly known as Secure Socket Layer (SSL). WTLS is optimized for use over narrowband communication chan­nels and each application can selectively enable security features. The security layer provides data integrity to ensure that the data is unchanged and uncorrupted. It grants privacy and ensures that any intermediate parties intercepting the data stream cannot understand the data. Authentication and a protection against Denial-of-service attacks are also parts of WTLS.

Wireless transactions, such as those between a user and their bank, require stringent authen­tication and encryption to ensure security to protect the communication from attack during data transmission. Because mobile networks do not provide end-to-end security, TLS had to be modified to address the special needs of wireless users. Designed to support datagram’s in a high latency, low bandwidth environment, WTLS pro­vides an optimized handshake through dynamic key refreshing, which allows encryption keys to be regularly updated during a secure session.

3.2.5. Transport Layer: Wireless Datagram Protocol (WDP)

WDP provides a datagram layer for different types of bearers without User Datagram Protocol (UDP) support, such as GSM SMS. WDP offers a consistent service at the Transport Service Ac­cess Point to the upper layer protocol of WAP (Figure 2). This consistency of service allows for applications to operate transparently over different available bearer services.

Figure 2. WAP protocol stack

3.3. WAP Security

WAP security functionality includes the Wire­less Transport Layer Security (WAPWTLS) and application level security, accessible using the Wireless Markup Language Script (WMLScript). For optimum security, some parts of the security functionality need to be performed by a tamper­resistant device, so that an attacker cannot retrieve sensitive data. Such data is especially the perma­nent private keys used in the WTLS handshake with client authentication, and for making ap­plication level electronic signatures. The WAP Identity Module (WIM) is used in performing WTLS and application level security functions by storing and processing information needed for user identification and authentication. The functionality in terms of the requirements and sensitive data, especially keys, can be stored in the WIM. WAP achieves application layer security by taking advantage of WTLS (Wireless Transport Layer Security), access control features in WML and WMLScript and WIM.

4. EMERGING TECHNOLOGIES OF PAYMENT SYSTEMS

Mobile Payment is using different new technolo­gies to make the payments more efficient and trustworthy. Some of them are as follows:

• Biometric Payments

• Barcode Payments

• NFC Payments

4.1. Biometric Payment

Biometric payment is a kind of technology that allows people to pay at shops or markets with just touch of their fingers, moving their face or laying up their hands. Biometric authentication is different than normal authentication system as they won’t need any tokens or passwords for their payment other than their biometrics. With biometric payment systems the account infor­mation is automatically recognized to finish the payment procedure.

Biometric authentication is Fast, Easy, Secure. No swapping card or writing of checks is required. People can leave their wallet behind. And above all, their biometrics is unique, so only the user can access the system. Biometrics based authentica­tion applications that is critical to the growth of the global economy comprises of many features. These include but not limited to single sign-on, Web security, transaction security, application logon, data protections, workstations, remote access to resources, and etc.

4.1.1. Biometric Authentication Process

Biometric payment technology allows the con­sumer to pay with the touch of a finger on a fingerprint scanner linked to a payment file. The fingerprint template is typically linked to a router and transmission media necessary to clear the transaction through automated clearinghouse. Biometric payment providers (e.g., Pay-by-Touch and BioPay) require completion of a pre enroll­ment process in which index fingers are scanned and driver’s license and banking information is recorded in an account database. This process re­portedly takes less than two minutes. In addition to transaction settlement, biometric payment provid­ers may also link captured transactions to loyalty reward programs, gift cards, discount coupons and Web access services. The processes involved in biometric authentication are enrollment process, verification process and identification process.

4.1.1.1. Enrollment Process

Enrollment relates to the process of registering the fingerprints of a customer against their other demographic data as a record of their biometric identity. It is a one-time process in which a cus­tomer is asked to present their fingers on a scanner and the fingerprints recorded and stored. In this process the biometric template of the customer is captured and stored in biometric database. In an online biometric authenticated system, the verifi­cation is carried out by retrieving the customer’s biometric template using their identity number and then matching that against a live fingerprint. The enrollment process involves recording the templates against an identity number. The typical steps in an enrollment process are:

• The customer is asked to enter a customer identity number (this could be a bank re­lated number, a national ID or any other unique identity number).

• The customer is then asked to present their biometric template on a scanner (SFR300) that then captures the images.

• The enrolment system may ask the custom­er to present their biometric multiple times to ensure that the quality of image captured is good for verification.

• An ISO 19794-2 template is derived from the captured images.

• The template along with the raw image is stored in the biometric server (true Server) against the customer identity number for later retrieval and verification.

4.1.1.2. Verification Process

In this process customer biometric template is verified to authenticate the payment. In verifica­tion process the customer enters their customer identity number into the verification system. The system then prompts the customer to present their live biometric on the scanner. The live biometric is then compared with the biometric template stored against the customer identity number in the biometric server. In case the verification is successful the payment transaction is considered authenticated and the transaction sent to the bank for processing. In case of a failure the customer may be asked to present the biometric template again up to a certain maximum number of tries.

4.1.1.3. Identification Process

In the identification process, the system recognizes an individual by searching the templates of all the users in the database for a match (Figure 3). Therefore, the system conducts a one-to-many comparison to establish an individual’s identity (or fails if the subject is not enrolled in the system database) without the subject having to claim an identity (e.g., “Whose biometric data is this?”). Identification is a critical component in negative recognition applications where the system estab­lishes whether the person is who she (implicitly or explicitly) denies to be. The purpose of negative recognition is to prevent a single person from us­ing multiple identities. Identification may also be used in positive recognition for convenience (the user is not required to claim an identity). While traditional methods of personal recognition such as passwords, PINs, keys, and tokens may work for positive recognition, negative recognition can only be established through biometrics.

4.1.2. System Elements

To implementing a biometric authenticated pay­ment a system requires three primary system elements to be put in place by a bank or acquirer (Figure 4). These are:

4.1.2.1. Enrollment System

It is used for enrolling customers on to the program and recording their biometric identity. In enrol­ment stage the biometric images of the different individuals to be verified are first processed by feature extraction module; the extracted features are stored as template in a database for later use.

4.1.2.2. Verification System

Used at retail locations for verifying the live bio­metric template with the stored fingerprints for authenticating payments. The biometric image of the individual to be verified first processed by feature extraction modules; the extracted features

Figure 3. Biometric authentication system

Figure 4. Enrollment, verification, identification in a biometric system

are then fed to a matching module with his/her identity ID, which matches them against his/her templates in the database.

4.1.2.3. Biometric Server

Used for storing the biometric template, extract­ing and verifying biometric template during a payment process and providing an interface to banks and acquirers for managing the customer data and reports.

4.1.3. Components for Secure

Online Transactions

The authentication models for authenticating are to authenticate the customer who has registration in the service of the biometric payment system. Most models are based on network authentica­tion system and are composed of client terminal, server side, which is used to collect the multimodal biometric data and to provide the services respec­tively. The biometrics template storage place and the verification place may be held at client side, server side and trusted third party (TTP) that may be a smart card to perform complex calculations. The different components that are interacting for secure online transactions for the biometric pay­ment systems are:

4.1.3.1. Secure Online Banking Server (SBS)

It has access to customer’s data; establishes connection with the Online Banking Software (BSW); conducts capital transactions and is able to identify a Biometric Trusted Device (BTD) as a communication partner to establish a secure connection.

4.1.3.2. Online Banking Software (OBS)

It is stored on the client and communicates with SBS in order to process different transactions.

4.1.3.3. Secure Biometric Trusted Device (BTD)

A trusted piece of hardware with predefined security criteria to provide secure functionality; cannot be manipulated by malware; has a biometric capture device as a fake resistant sensor which is qualified for unsupervised operation.

4.1.4. Biometric Information Systems

An additional hardware is required to implement the biometric template in the proposed method­ology. Biometric identification systems (BIS) is based around a core Automated Fingerprint Identification System (AFIS) that offers full biometric integration - with the inclusion of fin­gerprints, palm-prints, facial images, descriptive data, signatures and documents. Known as mul­timodal biometrics (or ‘fusion’ technology), this approach optimizes the results of search queries, consequently achieving more accurate responses. Common BIS elements include:

4.1.4.1. Data Server

It is a central repository (e.g. Oracle database) for storage and near-immediate retrieval of biometric identifiers together with associated features and textual data. (Known as ‘descriptor’ data)

4.1.4.2. Work Stations

These are equipped with a camera and scanner to enable the capture, encoding and submission of finger/palm-print images, slap impressions, rolled fingerprint images, photographs, signatures and demographic information.

4.1.4.3. Review Stations

Are designed for the dedicated review and verifica­tion of search results, as well as match analysis.

4.1.4.4. Live Verification Stations

Allow the identification of individuals when the subject is present at the time of processing.

4.1.4.5. Optional Peripherals

Portable and single-finger scanning devices, cameras, two/ten-print card printers, automated case management systems, Web servers, applica­tion servers, mobile gateways, descriptor import/ export modules.

4.2. Barcode Payments

The barcode technology has been developed with the creation of 2D barcodes to increase the data capacity of 1D barcodes. With the integration of cameras, mobile phones act as scanners, barcode readers and portable data storages and maintaining network connectivity. When used together with such camera phones, 2D-barcodes work as a tag to connect the digital and physical world. Today most of the mobile applications encode a URL or a website address inside a 2D barcode to visit a Web page containing a video clip or a document that can be accessed from a mobile Web browser. A 2D barcode can also represent a business card, an advertisement coupon, product information and it can be used in visual cryptography.

In mobile payment systems, 2D barcodes are used to support presale, buy and sell, post sale operations in the form of transactions. 2D barcodes can be used to present advertisements, coupons, and receipts, which can be captured and decoded by mobile client software on mobile devices. Moreover, 2D barcodes enable mobile devices to become a point-of-sale device that reads the barcode and facilitates payment transactions. After a payment transaction, 2D barcodes can be used to present a purchase receipt to gain access to the information about the purchased goods and services.

4.2.1.2D Barcode-Based

Mobile Payment

There are two ways to build 2D barcodes in mobile payment systems. The first approach is to build 2D barcode-based Position of Sale (POS) sys­tems. The objective is to support mobile payment transactions between mobile users and mobile terminals at anytime and anywhere. This type of POS-based payment systems can be used in Parking lots, TAXI, airport and railroad stations. 2D barcodes are useful to support product infor­mation retrievals, secured payment transactions, customer and product verification, and mobile security checking.

The other approach is to build 2D barcode­based systems to allow mobile users to issue mobile payment transactions using their digital wallets based on mobile payment accounts in a mobile payment server. Comparing with the exist­ing account-based mobile payment systems, this approach has five distinct advantages:

• It provides the buy-and-sale payment services for goods identified using 2D barcodes.

• Mobile users can easily retrieve all related product information from 2D barcodes.

• It easily supports product and customer verification for post-sale services, such as delivery and pick-up.

• It increases the mobile security for pay­ment transactions.

• It improves mobile user experience by re­ducing user inputs.

Following are the steps in the 2D barcode­based payment system using the second approach (Figure 5):

Step 0: A registered mobile user uses his/her user account and PIN to login the mobile payment system by sending a login request to the mobile payment server. The mobile

Figure 5. 2D barcode payment system

server processes mobile client authentication and sends a login response with the server certificate ID, and secured session ID, as well as a public key for the communications. Step 1: The mobile client authenticates the mo­bile server with received public and server’s certificate.

Step 2: The mobile client captures or receives a 2D barcode for an interested product from its advertisement. There are two scenarios in which a mobile user can get a 2D barcode. In the first case, a mobile user may use a mobile camera on the mobile device to capture the image of a 2D barcode from a posted prod­uct. In the second case, a mobile user may receive a mobile ad on a mobile device from a merchant. Meanwhile, the mobile client decodes the received 2D barcode, which includes product and maker’s information, marketing data, merchant’s mobile URL information.

Step 3: The mobile user clicks the given 2D bar­code to switch the target merchant’s mobile site using the provided URL in the received 2D barcode.

Step 4: The mobile user prepares and submits a purchasing request with a digital signature as a 2D barcode to the merchant server.

Step 5: The merchant server authenticates the mobile client based on the provided the secured session ID from the mobile client, as well as the public key. Meanwhile, the received signed request is validated by the merchant using the private key.

Step 6: The merchant server generates and sends a signed purchase invoice with a transaction ID to the mobile client.

Step 7: The mobile client prepares and sends a payment request with the same transaction ID and a digital signature to initiate a payment request. The digital signature is made using the client private key. The entire message is encoded as a 2D barcode.

Step 8: A secure session is established between the payment server and the mobile client. In this step, the payment server validates the given security information, including the certificate from mobile client, session ID, public key, and received digital signature. The mobile payment server processes the payment transaction.

Step 9: The payment server prepares and sends a payment confirmation with a 2d barcode receipt to the mobile client. The mobile client displays the received confirmed message to the mobile user.

Step 10: The mobile server also sends a payment transaction completion notice with a 2D barcode to the merchant server. This barcode will be useful for the merchant to carry out the post-sale operations, such as pick-up validation or product delivery.

4.2.2. Mobile Enabled Security Solution in Mobile Payment

To address the security issues in the 2D barcode payment system the following components are required.

• Authentication Management: This com­ponent is built to support the required au­thentication functions for each party, in­cluding mobile client, merchant, and the payment server. In this system each party must be authenticated before any payment transaction.

• Mobile Session Management: This func­tion component is designed to assure the security of a payment session between in­volved parties.

• Certification Management: This com­ponent is designed here to support the payment-oriented certification generation, validation, and management.

• Mobile Key Management: This compo­nent is built to generate, distribute, check public and private key based on the Elliptic Curve Cryptography (ECC) technique.

• Message and Data Integrity Validation: This component is useful to check the message and data integrity for the com­munications between mobile client and the payment server using encryption and de­cryption methods.

The mobile enabled security solution consists of three parts, which supports the security func­tions and needs in mobile client software, the mobile payment server, and the merchant server. Unlike other existing electronic payment systems, the maj or security solutions in the payment system used the Elliptic Curve Cryptography technique to deal with different security issues due its ad­vantages in processing time, key lengths and key generation, and energy consumption in mobile computing over other cryptography techniques.

5. NFC PAYMENTS

The combination of the mobile device with the latest wireless technology NFC (Near Field Com­munication) makes possible variety of payment applications like ticketing, access control, content distribution, smart advertising, and peer-to-peer data/money transfer. NFC is a short-range wire­less connectivity technology that evolved from the combination of existing contact less identification and interconnection technologies.

NFC is a standard based, short range wireless technology supporting the two way interactions among electronic devices. A cellular phone hav­ing a NFC device is able to communicate not only with Internet via wireless connections but also with smart card readers. NFC technology brings the user experience, convenience and security of contactless technology to the mobile devices, and is enabling quick transactions and services in our day-to-day lives. NFC has revolutionized the mobile payments. The major advantage of NFC over other wireless communication technologies is its simplicity: transactions are initialized auto­matically, simply by touching the reader, another NFC device or an NFC compliant transponder. NFC is a proximity technology relying on the smart card standard ISO 14443 and allowing wireless transactions only over a distance of up to 10 centimetres.

NFC is a short range and standardised (ISO 18092) wireless communication technology that adds contact less functionality to mobile devices including mobile phones and PDA’s (Personal Digital Assistants). Such devices can act both as a “contactless card” (based on its secure element and as a “contactless reader” and also operate in P2P mode with peer devices. These devices sup­port various contactless communication standards, such as ISO 14443, ISO 15693, FeliCa and Mifare Standard.

The NFC driven payment model has a poten­tial to evolve from the traditional payment model (where the consumer pays the merchant for the goods using mobile phone) into a new model where consumer can also act as a merchant.

From a technical point of view, NFC is a very short-range wireless technology allowing to con­nect electronic devices over 10 cm apart and then to transfer data between them at up to 424 Kbits/ second. Operating at 13.56 MHz, the technology, initially described by NFCIP-1 (Near Field Com­munication Interface Protocol 1) and standardized on ISO18092, ECMA340 and ETSI TS102 190, also implements now NFCIP-2 (Near Field Com­munication Interface Protocol 2) which is defined in ISO 21481, ECMA352 and ETSI TS 102 312. By implementing NFCIP-2, NFC is becoming compliant with proximity and vicinity card stan­dards (i.e. respectively ISO 14443 and 15693 as well as with Felica contactless smartcard system.

Interoperable, the technology can be used with multiple devices (e.g. keyboards, camera, SD cards, game console, etc.). Up to now and thanks to its worldwide deployment, cell phone is the preferred NFC-enhanced device. It is also the most suitable device to implement the three operating modes defined by the NFC forum.

5.1. NFC Operating Modes

The technology used in NFC is compatible with existing contactless infrastructure and NFC device offers three operating modes.

5.1.1. ReaderZWriter Mode

In this mode the NFC device can read or write information such as URLs, SMS’s in a tag or smart card e.g. Smart posters applications. Here, users touch the device or a cell phone with the tag embedded in the poster, which triggers the transmission of a URL to the phone. The URL could be used to open the Web browser without any human intervention.

5.1.1.1. Card Emulation Mode

In this mode the NFC enabled device emulates a contactless smartcard (ISO 14443). There is a secure element embedded in the device where sensitive data can be stored in a safe place and value added services requiring a high level of se­curity such as payment applications can be made available to the customers.

5.1.1.2. Peer-to-Peer Mode

In this mode a connection is established between two NFC enabled devices and data can be ex­changed between them. The NFC peer-to-peer mode (ISO 18092) allows two NFC enabled devices to establish a bidirectional connection to exchange contacts, Bluetooth pairing infor­mation or any other kind of data. To establish a connection a client (NFC peer-to-peer initiator) is searching for host (NFC peer-to-peer target) to setup a connection. The standards ISO14443 (for contactless smart cards) and ISO18092 (for NFC

peer-to-peer mode) do not specify encryption or security for the contactless communication at all. Such a feature must be implemented by the developer on application level. At the moment the two major players in the smart card market, NXP Semiconductors with their product Mifare and Sony with Felica, have implemented a proprietary encryption for their products on top for securing the communication.

The NDEF (NFC Data Exchange format) is used to transmit data. This mode is standardized on ISO 18092.

5.2. NFC Architecture

A mobile device integrated with NFC technology is typically composed of various integrated circuits, SEs and an NFC interface (Figure 6). The NFC interface is composed of a contactless; analog/ digital front-end called an NFC Contactless Front­end (NFC CLF), an NFC antenna and an IC called an NFC controller to enable NFC transactions. The NFC Controller is required for the analog digital conversion of the signals transferred over the proximity connection. (E.g. payment at POS is done through Single-Wire Protocol (SWP)). The SE provides a dynamic and secure environ­ment for programs and data. The secure element is also called as tag emulation operating mode. It enables secure storage of valuable and private data such as the user’s credit c ard information, and secure execution of NFC enabled services such as contactless payments. Also, more than one SE can be directly connected to the NFC controller. The supported common interfaces between SE’s and the NFC controller are the Single Wire Protocol (SWP) and the NFC Wired Interface (NFC-WI). The SE can be accessed and controlled from the host controller internally as well as from the RF field externally. The host controller (baseband controller) is the heart of any mobile phone. Host Controller Interface (HCI) creates a bridge between the NFC controller and the host control­ler. The host controller sets the operating modes of the NFC controller through the HCI, processes data that are sent and received, and establishes a connection between the NFC controller and the SE. Also, host controller is able to exchange data with the secure element (internal mode e.g. for top up of money into the secure element over the air. NFC is closely related to RFID (Radio Frequency Identification). RFID is mainly used for remote tracking, tracing and identification of goods and persons without a line of sight while as NFC is used for more sophisticated and secure transactions like contactless access or payments. Both technologies have several layers and protocol concepts and are therefore open for the same attacks.

5.2.1. Types of Payments in NFC

Near field communication (NFC) is short distance radio communication technology, enabling com­munication between two devices when they are in the close vicinity of each other. This technology is used in the contactless payment processing models.

In context of mobile payment processing, an NFC enabled mobile device can interact with an NFC enabled Point of sales (POS) device and engage in performing payment functions through NFC connectivity. The NFC implementation uses ISO/IEC 14443 standards for NFC card reader and NFC device communications. In order to complete a mobile payment transaction, it is essential that the mobile devices and POS equipments are both NFC enabled. There are different scenarios, as to how the NFC enabled mobile devices can be used to perform payment operations.

The following are the different NFC technology based mobile payment transactions.

• NFC Card Based Payment Processing

• NFC Mobile Wallet Processing

Figure 6. Architecture of NFC integrated in a mobile device

5.2.1.1. NFC Card Based Payment Processing

In this payment transaction processing, an NFC enabled mobile device is used to make card based (credit or debit) payments with an associated NFC enabled POS device (Figure 7). In this scenario, the actual card details along with the pin details are stored in the mobile device. The information is stored in NFC controller which acts like an NFC enabled smartcard. When a transaction is completed in an NFC enabled POS, the payments

can be made by a NFC mobile device, by bringing into the contact of the concerned NFC POS. On close contact, the bill details are passed to mobile device, users will be able see the bill and press required button to make the payments. The card details along with pin are passed to NFC enabled POS, which will further process the card details to complete the payment transaction. The payment transaction between the NFC POS and payment gateway service provider will continue as it is done. After completion of payment processing, the NFC POS sends a payment confirmation message to NFC mobile device, and the overall mobile transaction is closed.

Figure 7. NFC card based processing

5.2.1.2. NFC Mobile Wallet Processing

In this type of payment an NFC enabled mobile devices is used to make payments with NFC en­abled POS, using user’s mobile M-Wallet account (Figure 8). Mobile users, instead of using credit cards, use their M-wallet account to make the payments. The NFC enabled POS presents the bill to the users, who accepts the same to make pay­ments, sending M-Wallet account details to NFC POS, that further interacts with user’s M-wallet account service provider, for closing the payment transaction. After successful payment processing NFC-POS sends a confirmation message to the mobile device and then the overall transaction is closed.

5.3. NFC Payment Processing

NFC capable POS devices let the merchant con­nect more closely with customers. The customer needs to have payment enabled an NFC-equipped mobile phone. The payment process works as described as follows:

• Consumer purchases an NFC enabled smart phone and sets up his or her card subscriptions.

• The credit card issuer transfers data to a Trusted Service Manager (TSM).

• The TSM “pushes” credit card data onto the consumer’s smart phone. A mobile op­erator (such as Verizon or AT&T) manages a payment application and issues NFC se­cure components to make the consumer’s phone payment capable.

• Consumer taps their NFC phone on an NFC capable mobile operator acceptance device to make payment via NFC.

• The transaction is routed through mobile operators secure payment gateway to the card provider for authorization and pro­cessing, and to service providers who may be providing couponing or loyalty rewards and discounts.

NFC is a technology for payment that allows two-way, real-time communication between the merchant and the consumer and enhances the pay­ment process. S ome of the NFC-enabled functions at the point-of-sale include:

Figure 8. Mobile wallet processing

• Increasing sales by making it easier for consumers to use virtual e-gift cards par­ticipate in loyalty programs and earn re­wards at the POS.

• Two way communication (peer-to-peer) between the handset and POS device to transmit coupons, loyalty rewards, pay­ment and promotional messages.

• Providing links and unsurpassed payment convenience for social media fan favourites and group discount offers.

• Gathering customer data efficiently through NFC-enabled devices for improved con­sumer analytics.

• Enabling alternative payments such as peer to peer.

5.4. NFC Payment Architecture

There are different actors in the NFC payment architecture, where these actors’ acts as an enabler in a business to business relationship with banks and other service providers, in terms of creation of different applications with security features on the SIM Card. There is another actor that has a dominant role. That is the payment card scheme owners, namely VISA and MasterCard. They have launched pilots all over the world and have started transactions with their contactless payment card, PayWave, PayPass. Since contactless payment cards and NFC payments, through EMV, can work in a similar way these network owners are very dominant in the NFC payment ecosystem. Further, they are interacting with the payment industry and are engaging in collaborations with handset manufacturers. For example VISA have engaged in collaboration with Nokia and together executed trials on M-payments trough NFC.

5.4.1. Customer

The customer (end user) is at the most important actor of the NFC payments. The consumer owns the payment credential (card) and initiates service requests and agreements. Without the customers, the service of NFC and m-payments will be worth­less, no matter how technologically advanced and workable this invention is. Therefore it is impor­tant for all actors to be aware of and consider the customers role in the m-payments.

5.4.2. Merchant

The merchant is the customer’s counterpart in the NFC payment systems. The merchant offers goods or services for sale and decides which pay­ment options to offer to the customer. Merchants benefit from the operational efficiencies gener­ated by faster transactions and fewer requirements to handle cash, which lower costs and enhance customer convenience. Merchants, like financial institutions, can offer their customers purchase- related and loyalty services, such as paperless receipts. Merchants can also make their gift card and loyalty programs more effective; customers’ “payment cards” are always available in their mobile phones.

Merchants are also able to deliver advanced mobile marketing and promotion programs that leverage the mobile device and proximity tech­nology to deliver context-sensitive messages to customers, influencing their behaviour inside and outside of the store. Mobile promotions and couponing are prominent features of multiple NFC mobile payment pilots and are proven to have positive influence on consumer behaviour and great acceptance by customers.

5.4.3. Mobile Contactless Payment Application Service Provider (MCPA SP)

The service provider issues the payment appli­cation to the customer. An MCPA SP must be a payment service provider and is also the card issuer. The service provider determines the profile of the payment application and the terms of use.

5.4.4. Mobile Network Operator (MNO)

In NFC payment systems OTA most often use the MNO’s mobile network. This does not mean, that the MNO has to have an active role in the NFC payment system, unless as an SE issuer for the UICC, or through subsidising or selling NFC- enabled handsets.

As an important factor in the mobile payment systems, it can be argued that the NFC payment system benefit from the MNO’s participation because of its strong distribution power and ad­vanced mobile services experience. The MNO is a highly active part of the NFC payment system as SE issuer when the UICC is the SE.

5.4.5. Trusted Service Manager (TSM)

TSMs offer a single point of contact with mobile operators for financial institutions, transit authori­ties, and retailers who want to provide a payment, ticketing, or loyalty application to customers with NFC-enabled mobile phones. TSMs provide ser­vices to send and load the NFC application over the air to the mobile phone and to aggregate, send, and load personal consumer data over the air. In a large NFC ecosystem, use of a neutral third- party TSM can be the most desirable scenario. The Trusted Service manager should be separated into two parts; governance and operational. The governance part is the one who sets up all the rules, it manages and monitors all the regulations within the ecosystem and gives certifications to the ac­tors involved. The operational part deals with the management of applications and is also a single point of contact to its customers and consumers. However, financial institutions or MNO’s can also function as TSMs. The role of a TSM is critical in the proximity mobile payments system since it can enable interaction among many service providers and multiple MNO’s.

The role of the TSM can be divided into several key functions.

Interconnect with MNO & Service Providers

Guarantee end-to-end security Application lifecycle management Enrol new user

◦ Create Security Domain

◦ Download OTA c-less application

Activate/Deactivate services

Update User Interface

Manage NFC customer database

These functions are the core business of the TSM and are something that has to be handled with care. Many of these functions deal with sensitive issues such as trust and security.

5.4.6. Handset Manufacturer (HM) and or Platform Provider

The HM has an important role in the NFC pay­ment systems by manufacturing and selling NFC enabled handsets. It can also act as an SE issuer for the embedded SE. For the sake of simplicity, the HM is assumed to include the role of a platform provider. The HM (and or platform provider) is a part of the NFC payment ecosystem as an SE provider for the embedded SE. The HM regards their function or role very easy to predict and un­derstand which is to be in charge of manufacturing mobile phones with NFC devices implemented. Even though their role is quite clear, the execution of it is much more difficult. This has to do with i.e. the space available inside a phone and the dif­ferent standards that are changing every so often.

5.4.6.1. Acquirer/Bank

The acquirer is responsible for handling financial acquisition in payment systems. That is, it initiates the clearing and settlement ofpayment transactions through payment schemes and banks.

5.4.6.2. Payment Scheme

The payment scheme (card scheme) is responsible for handling agreements with scheme participants, setting fees and establishing technical, functional, branding and certification policies for scheme participants (Figure 9).

In addition to direct relationships with relevant systems, the payment scheme have many indirect relationships, for example, the certification of SEs and POS technology to ensure it meets the required security and interoperability standards prior to market release.

5.5. NFC Security Approaches

Contactless payment are implemented by Ameri­can Express, MasterCard and Visa, is secure. The financial payments networks used to process contactless payments are the same networks that process millions of magnetic stripe transactions securely every day.

The financial payments industry has designed multiple layers of security throughout the tradi­tional credit and debit payment systems to protect all parties involved in a payment transaction. Most of these protective measures are independent of the technology used to transfer the consumer payment account information from the payment card or device to the merchant POS terminal and are used for both magnetic stripe and contactless transactions. For example, online authorization, risk management and fraud detection systems are used to detect potential fraudulent activity for any credit or debit card payment transaction.

For contactless payments, the financial indus­try also uses added security technology, both on the contactless device as well as in the process­ing network and system, to prevent fraud. While implementations differ among issuers, examples of security measures that are being used include the following.

• Industry Standard Encryption: At the card level, each contactless card can have its own unique built-in secret “key” that uses standard encryption technology to generate a unique card verification value, cryptogram or authentication code that exclusively identifies each transaction. No two cards share the same key, and the key is never transmitted.

• Authentication: The issuers verify that the contactless payment transaction has a valid card verification value, authentication code or cryptogram before authorizing the trans­action. Therefore, at the system level, issuer has the ability to automatically detect and reject any attempt to use the same trans­action information more than once. Thus, even if a fraudster should “read” informa­tion from a contactless transaction, or even multiple transactions from the same card, this information would be useless.

• Confidentiality: The processing of con­tactless payments does not require the cardholder name to be exchanged between card and terminal. The best practices being used within the industry do not include the cardholder name in the contactless chip.

Figure 9. NFC payment architecture

• Control: Some contactless payment cards and devices do not include the cardhold­er’s account number, but use an alternate number that is associated with a payment account by the issuer’s backend processing system. This alternate number would not be able to be used in other payment trans­action (e.g., with a magnetic stripe card or on the Internet). In addition, cardholders control both the transaction and the card throughout the transaction. Cardholders do not have to surrender either a card or their account information to a third party during a contactless transaction and contactless payment devices are designed to operate at very short ranges so that the consumer needs to make a deliberate effort to initiate the payment transaction.

In addition to the above mentioned security financial institutions prepare the account data, and send the payment account information to a TSM. The TSM delivers the consumer’s payment account information over the air (OTA) through the mobile network to the secure element in the mobile phone. Once the payment account is in the phone, the consumer can use the phone as a virtual payment card at merchants who accept contactless credit and debit payments. Payments are processed over the current financial networks with credits and debits to the appropriate accounts.

The transmission of payment, personalization, and life cycle management information from the issuer to the TSM is secured by standard Internet technologies, such as secure sockets layer (SSL) or virtual private networks (VPNs). Global Platform’s secure channel protocol provides for transmission of sensitive account data between the TSM and the SE in the mobile device and storage of such information in the SE. Account data is further kept secure from OTA sniffing by encryption provided by the MNO. When the consumer uses the NFC device for payment, the transaction is protected using the dynamic cryp­togram authentication technology already in place for contactless credit and debit cards.

Secure Delivery of Financial Data: Mobile contactless payments do not require that account data be stored on a physical card. The data is passed securely from the issuing bank through a TSM to the SE in the mobile handset. The data is protected by cryptography throughout the process; the TSM has a critical role in managing the security of the process and keeping the cryptographic keys secure through the use of both physical and logical security measures.

Protecting Stored Payment Application and Account Information: Within the mobile phone, both the payment applica­tion and consumer account information must be protected, and different NFC ap­plications must be able to work securely and independently of each other. Security approaches used include:

Storing the payment application and data in the SE.

Using Global Platform-specified se­curity domains and hierarchy to pro­vision data OTA to the SE.

Using smart card technology inherent in the SE to authenticate all commu­nications with the application to up­date or change operational parameters and to provide built-in tamper resis­tance security features that recognize hostile attacks and take appropriate protective measures, such as blocking the application.

Providing a mobile wallet for access­ing the payment account information in the SE during a transaction, with an optional personal identification number (PIN) authorizing access to the wallet.

Leveraging existing and future EMV contactless card transaction authenti­cation security technology.

Leveraging existing issuer host system.

6. EXAMPLES OF REAL WORLD MOBILE PAYMENT APPLICATIONS

The existing wireless payment systems can be classified into three types: account based payment systems, token-based payment systems, mobile POS (point of sale) payment, and mobile wallets payment systems. But, the scenario of mobile payments is still in infancy. People are still not aware of mobile payments and still people face lots of dilemma in doing transactions and pay­ments. People are not aware of the differentiation between mobile payments and mobile banking. Especially rural parts due to poor connectivity, erratic power supply, low income level of people and the remote locations of the states. Some of the payment systems used is Beam, Pay-as-you-go, Mchek, PayMate and UID projects in micropay­ments. Other existing payment systems are PayPal, Mobipay, Nokia Wallet and Vodafone’s m-pay bill. Mobile FeliCa and Mobile Suica are the two successful solutions launched in Asian market.

6.1. Beam

Beam is a micropayment service aimed at the non banked rural population of India. Beam distrib­utes prepaid vouchers that one can purchase in the denomination of Rs100 -1000 and load their account against the mobile number through SMS or IVR. The strategy for the Beam seems to be a little confused. They claim of serving the rural crowd but the agency is targeting the urban youth. A related opportunity in Beam could be micro­transfers, wherein the migrated rural crowd could use the service to transfer money to their family’s Beam account back home. The family member could then transfer the value to the Beam agents account in the village and receive cash. This could be an alternative to money order. On the face of it the service seems to have no differentiator from ITZ Cash cards.

Limitations:

• Inefficient, costly and unsecured modes of money transfer.

• Because of the technological limitations account is not recharged successfully. Either customer never gets the balance, or double recharge is done on one single transaction.

• There are several business issues in addi­tion to Regulatory and Supervisory issues.

6.2. Pay-As-You-Go

This is a cell phone service and is applying to small scale solar energy systems. Simpa Networks partnering with solar manufacturing Selco India allows Hardware upfront customers, then purchase pay-as-you-go cards in increments of50, 100,500 rupees which supplies them with a cable that they enter to unlock the solar system. Customers can also top off their account with their cell phones.

Limitations: Renewable energy installations come with an upfront cost that poor com­munities in India cannot afford. People spend the little that they earn immediately with no real savings.

6.3. MChek

It allows a cell phone to act like a debit card. It is a mobile based secure transaction platform that can be used for remote authentication, authorization and notification of payments from bank account using mobile phone. Its services are available to almost everyone who owns a mobile phone and a bank account. SIM cards from Airtel, Vodafone, TATA IndiCom; TATA DoCoMo comes with the Mchek application preloaded. Mchek developed in-house, claims 128-bit, 3DES, and end to end encryption. However, 3DES takes 56, 112, or 168- bit keys, with no option to trim or augment keys, rendering this statement highly suspect. Mchek does, however, add an Interactive Voice Response (IVR) call back feature to each transaction which calls the handset a transaction ostensibly originates from to confirm the transaction details using touch tones and automated menus.

Limitations: Since services of Mchek can be utilized by registering mobile number with it. A 6 digit PIN is received to authorize the payments. At present Mchek provides facility by registering Credit card for pay­ments such as Visa and Master Card. The main disadvantage with this system is that it cannot be used in rural India due to the infrastructural and technological problems.

6.4. PayMate

Paymate offers mobile payments solutions through tie-ups with Banks, merchants and other financial institutions. It had partnered Essar’s mobile re­tail chain Mobile Store to offer mobile payment services, and Tata Teleservices and Corporation Bank to offer a mobile money transfer service, named Green. It also operates mobile payment service in Sri Lanka, Nepal and UAE. It also offers merchant mobile POS solutions in the US through transaction service provider-TSYS. Also, it is a mobile based loan repayment service that is extended to remote rural villages of India through registered agents.

Limitations:

• Paymate offering Mpayment Facility in which Consumer is required to register on Website. Whether Consumer who do not have this facility will or will not be able to use mobile payments?

• One of the most crucial and basic elements to making mobile money services a success is ease of use and reliability. However, mo­bile operators, banks and payment provid­ers are struggling to convince that the new services are better than those in use today. In other cases, Customers simply do not see the need for the payment functionality to be developed. A lot of work still needs to be done to promote customer acceptance.

• Tie up with credit card and some banks.

• Registration is required with banks through service Provider.

6.5. Osaifu-Ketai

Osaifu-Ketai literally means Wallet Mobile. It is a trademark of NTT DoCoMo, which developed the system. It refers to mobile phones that integrate Sony’s Mobile FeliCa ICs, as well as to services provided by applications on these phones. Al­though it was developed by NTT DoCoMo, the system is also supported by other mobile phone operators, making it the standard mobile payment system in Japan. Osaifu-Ketai services include electronic money, identity card and loyalty card, fare collection of public transits or credit card.

FeliCa, developed by Sony, is the de facto standard technology used for J apanese smart cards. Many of these cards accept Osaifu-Ketai (Mobile FeliCa) system as well, or plan to accept it in fu­ture. Osaifu-Ketai can provide more convenient services than plastic FeliCa cards. For instance, it can automatically recharge itself via the Internet, or provide the latest information. It can also be used as a ticket for an airplane or an event, by downloading an electronic ticket. Unlike plastic cards, a single Osaifu-Ketai phone may accept multiple applications, each equivalent to differ­ent cards. Osaifu-Ketai provides many functions on a single mobile phone. Therefore, there is a great risk if the phone is lost, broken, or stolen.

Osaifu-Ketai basically functions even without radio transmissions, so the applications cannot be terminated just by closing a phone account. A user has to contact each service provider to stop all the functions. There are some phones that can lock the functions via a phone call or an E-mail. Since Osaifu-Ketai can function as identity card (such as member card, company card, or key card), there is also a risk for those who authenticate it.

Limitations:

• Osaifu-Keitai provides many functions on a single mobile phone. Therefore, there is a great risk if the phone is lost, broken, or sto­len. Osaifu-Keitai basically functions even without radio transmissions, so the applica­tions cannot be terminated just by closing a phone account. A user has to contact each service provider to stop all the functions. There are some phones that can lock the functions via a phone call or an E-mail.

• Since Osaifu-Keitai can function as iden­tity card (such as member card, company card, or key card), there is also a risk for those who authenticate it.

6.6. M-PESA

Developed by Vodafone and launched commer­cially by the company’s Kenyan affiliate Safari- com, M-PESA is a small-value (all transactions are capped at $500) electronic payment and store of value system accessible from ordinary mobile phones. Once customers have an M-PESA ac­count, they can use their phones to transfer funds to both M-PESA users and non-users, pay bills, and purchase mobile airtime credit for a small, flat, per-transaction fee. The affordability of the service has been key factor in opening the door to formal financial services for Kenya’s poor.

Extremely rapid uptake of M-PESA is a strong vote of confidence by local users in a new technology as well as an indication of significant latent demand for remittance services. In recent months, M-PESA has begun allowing institutional payments, enabling companies to pay salaries and collect bill payments.

Limitations:

• Financial institutions are facing difficul­ties in reconciling deposits initiated by M-PESA users to customers’ accounts.

• Banks are delaying informing custom­ers that money has been credited to their account.

• Customers are also finding it difficult to make withdrawals from a bank account us­ing the M-PESA channel.

• Problems include resolving incompat­ible software and, thus far, very limited middleware for financial institutions and Safaricom’s respective systems; customer data-entry errors, particularly for account numbers; money transfer and reconcili­ation delays; and lack of transparency on customer fees for M-PESA platform ac­cess. (The fee structure is complicated and, because Kenyans are accustomed to paying unusually high fees for all banking and money-transfer services, they are less inclined to demand clear explanations on pricing.)

• Several financial institutions are now em­barking on their own mobile banking ser­vices and agent networks (Equity Bank, Kenya Commercial Bank and Cooperative Bank lead in these efforts). Others, includ­ing most large MFIs, are developing or looking into more compatible middleware.

• Processing delays.

• Customer error.

6.7. PayPal

It is a global e-commerce business allowing pay­ments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer’s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal takes funds for a purchase from funding sources according to a specified funding hierarchy. The funding hierarchy is a balance in the PayPal account, a PayPal credit account, Pay­Pal Extras, PayPal Smart Connect, PayPal Extras Master Card or Bill Me Later, a verified bank ac­count, other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient’s account type. In addition, eBay purchases made by credit card through PayPal incur extra fees if the buyer and seller use different currencies. In December 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous. In spite of its international reach, PayPal has limited functionalities for multi-country users, most notably the impossibility to have bank accounts in several countries, or to have a shipping address in a different country than one’s bank ac­count or credit card. In 2003, PayPal voluntarily ceased serving as a payment intermediary between gambling websites and their online customers. At the time of this cessation they were the largest pay­ment processor for online gambling transactions. In 2010, PayPal resumed accepting such transac­tions, but only in those countries where online gambling is legal, and only for sites which are properly licensed to operate in said jurisdictions.

Limitations:

• Because PayPal is not a bank, it does not have to work with you to resolve dis­putes between users or payment problems. Banks are subject to audits and regulations, but PayPal is an independent corporation and is not subject to the same rules banks comply with. If you have a dispute about a charge or a payment, PayPal employees will decide how to rule on the dispute. If they decide you were wrong, you should not have received that payment, or you are wrong, you owe that charge you are disput­ing, that’s the end of it. There is no appeals process available, leaving you at the mercy of PayPal employees.

• Because of security issues and U.S. regula­tions enacted to limit the transfer of money to terrorists, PayPal sometimes freezes an account because of a suspicious circum­stance. Accounts may be temporarily fro­zen because of suspected security breaches, or for a longer term as PayPal investigates potential improprieties. Accounts may be frozen for months leaving merchants with­out the ability to extract the funds in their account.

7. FUTURE RESEARCH DIRECTIONS

Wireless technologies and other pervasive com­puting have changed the way we communicate, do business and transactions. Further work could be done to add and use wireless protocols to in­crease the speed of the transactions and to further improve the security aspect at transport layer and network layer in addition to the usability. It would be very interesting to add extra hardware on mobile phones for easy installation of barcode technology, and NFC technology. Clearly wireless networks and mobile device technologies are still in rapid development. The growth of 3G/4G network technology and the Smartphone brings more and more opportunities to mobile applications. The ap­plications can be implemented in financial sector not only by the traditional commercial banks but by Internet payment agents, for example, PayPal. Furthermore, the implementation of the applica­tion is low cost and can also be easily integrated into the other end-to-end mobile applications.

8. CONCLUSION

The goal of this chapter is to research and to un­derstand the concepts and emerging technologies that can benefit the mobile payments with respect mobile payment usability and security. Although the technologies in the development of mobile payments have improved and are experiencing a significant development, mobile devices and wireless networks are still “resource-limited” compared to PCs and fixed-line network? The difficulty in building mobile payment systems lies in how to provide payment transactions with security and practicality.

The contribution of this chapter is as follows:

1. Some existing systems are understood in detail. Their advantages and limitations have been discussed. Based on the understanding of these systems different applications can be designed and developed that can be used in the real world. Also, research can be carried out about these systems.

2. The security mechanism is understood thor­oughly and is concluded that these systems provide security at transaction, network level and application level. The Payment Systems developed should provide the se­curity at each and every level to improve the customer satisfaction as well as value chain of an organization.

3. In addition to the above mentioned, there is lack of new technologies in the existing payment systems which can be easy to use and can add another level of security and trust worthiness during transactions like NFC payments and Barcode payments.

REFERENCES

Berger, S., Lehmann, H., & Lehner, F. (2003). Location-based services in the tourist industry. In­formation Technology & Tourism, 5(4), 243-256. doi:10.3727/109830503108751171

Chen, J. J., & Adams, C. (2004). Short-range wire­less technologies with mobile payments systems. In Proceedings of the 6thInternational Conference on Electronic Commerce, (pp. 649-656). ACM.

Fourati, A., Ben Ayed, H. K., Kamoun, F., & Benzekri, A. (2002). A SET based approach to secure the payment in mobile commerce. In Proceedings of Local Computer Networks (pp. 136-137). IEEE.

Long, M. T., Murphy, R. R., & Parker, L. E. (2003). Distributed multi-agent diagnosis and recovery from sensor failures. [IEEE]. Proceedings of Intelligent Robots and Systems, 3, 2506-2513.

Ondrus. (2003). A tool kit for a better understand­ing of the market. (Licence Thesis). HEC School of Business, University of Lausanne, Lausanne, Switzerland.

Zheng, X., & Chen, D. (2003). Study of mobile payments system. In Proceedings of E-Commerce, (pp. 24-27). IEEE.

ADDITIONAL READING

Alliance, S. C. (2008). Proximity Mobile Pay­ments Business Scenarios: Research Report on Stakeholder Perspectives. A Smart Card Alliance Contactless Payments Council White Paper.

Aziza, H. (2010). NFC Technology in mobile phone next-generation services. In Near Field Communication (NFC), 2010 Second Interna­tional Workshop on, 21-26. IEEE.

Daswani, N. (2000). A Survey of WAP Security Architecture: Course Notes. Retrieved July 15, 2013, from http://infolab.stanford.edu/~daswani/ papers/ASurveyofWAPSecurityArchitectures.doc

Federal Information Processing Standard, Stan­dards for Security Categorization of Federal Gao,

J. Z., Cai, J., Li, M., & Venkateshi, S. M. (2006). Wireless Payment-Opportunities, Challenges, and Solutions. Published by High Technology Letters, 12.

Gao, J., Kulkarni, V., Ranavat, H., Chang, L., & Mei, H. (2009, June). A 2D barcode-based mobile payment system. In Multimedia and Ubiquitous Engineering, 2009. MUE'09. Third International Conference on, 320-329. IEEE.

Gao, J. Z., Prakash, L., & Jagatesan, R. (2007, July). Understanding 2d-barcode technology and applications in m-commerce-design and implementation of a 2d barcode processing so­lution. In Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International, 2, 49-56. IEEE.

Goudar, A. (2012). Mobile Transactions and Payment Processing. Retrieved July 15, 2013, from http://www.nearfieldcommunicationsworld. com/2011/07/13/38574/paypal-announces-nfc- peer-to-peer-payments/

Kato, H., & Tan, K. T. (2007). First read rate analysis of 2D-barcodes for camera phone ap­plications as a ubiquitous computing tool. In TENCON 2007-2007 IEEE Region 10 Confer­ence, 1-4. IEEE.

Kumar, D., & Ryu, Y. (2008). A brief introduction of biometrics and fingerprint payment technol­ogy. In Future Generation Communication and Networking Symposia, 2008. FGCNS^,08. Second International Conference on, 3, 185-192. IEEE.

Li, Y., & Xu, X. (2009). Revolutionary Informa­tion System Application in Biometrics. In Net­working and Digital Society, 2009. ICNDS'09. International Conference on, 1, 297-300. IEEE.

Li, Y., & Xu, X. (2009, May). Revolutionary In­formation System Application in Biometrics. In Networking and Digital Society, 2009. ICNDS^,09. International Conference on, 1, 297-300. IEEE.

Madlmayr, G., Langer, J., Kantner, C., & Schar- inger, J. (2008). NFC devices: Security and privacy. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, 642-647. IEEE.

Madlmayr, G., Langer, J., & Scharinger, J. (2008). Managing an nfc ecosystem. In Mobile Business, 2008. ICMB'08. 7th International Conference on, 95-101. IEEE.

Paro, D. (2001). Wireless Application Protocol (WAP), What is it all about....How does it work. Retrieved July 15, 2013, from http://www.sans. org/reading-room/whitepapers/wireless/wireless- application-protocol-wap-whatabouthow-work- 148?show=wireless-application-protocol-wap- whatabouthow-work-148&cat=wireless

Podio, F. L. (2002). Personal authentication through biometric technologies. InNetworked Ap­pliances, 2002. Gaithersburg. Proceedings. 2002 IEEE4thInternational Workshop on, 57-66. IEEE. Raina, V. K. (2012). Barcode Payment System in Trusted Mobile Devices. IJCAIT, 1(3), 10-16.

Raina, V. K. (2012). Integration of Biometric authentication procedure in customer oriented payment system in trusted mobile devices. In­ternational Journal of Information Technology.

Stamp, M. (2011). Information security: principles and practice. John Wiley & Sons. doi:10.1002/9781118027974

Tiwari, A., Sanyal, S., Abraham, A., Knapskog, S. J., & Sanyal, S. (2011). A Multi-Factor Security Protocol for wireless payment-secure web au­thentication using mobile devices. arXiv preprint arXiv:1111.3010.

Varshney, U., & Vetter, R. (2002). Mobile com­merce: framework, applications and networking support. Mobile Networks and Applications, 7(3), 185-198. doi:10.1023/A:1014570512129

Woo, J., Bhargav-Spantzel, A., Squicciarini, A.

C., & Bertino, E. (2008, July). Verification of receipts from M-commerce transactions on NFC cellular phones. In E-Commerce Technology and the Fifth IEEE Conference on Enterprise Com­puting, E-Commerce and E-Services, 2008 10th IEEE Conference on, 36-43. IEEE.

Yang, J. (2010, October). Biometrics verifica­tion techniques combing with digital signature for multimodal biometrics payment system. In Management of e-Commerce and e-Government (ICMeCG), 2010 Fourth International Conference on, 405-410. IEEE.

This work was previously published in Electronic Payment Systems for Competitive Advantage in E-Commerce, edited by Fran­cisco Liebana-Cabanillas, Francisco Munoz-Leiva, Juan Sanchez-Fernandez, and Myriam Martinez-Fiestas, pages 279-307, copyright 2014 by Business Science Reference (an imprint of IGI Global).

APPENDIX

List of Abbreviations

EMV: Electronic Master Visa

HCI: Host Controller Interface

HTML: Hypertext Markup Language

HTTP: Hypertext

ICC: Integrated Circuit Card

IMT-Advanced: International Mobile Telecommunications Advanced

IP: Internet Protocol

ISO: International Standard Organization

ITU-R: International Telecommunication Union Radio communication sector

IVR: Interactive Voice Response

LAN: Local Area Network

LCD Controller: Liquid Crystal Display Controller

LTE: Long Term Evolution

NFC: Near Field Communications

OTA: Over the Air

P2P: Peer to Peer

PAN: Personal Area Network

PIN: Personal Identification Number

PLMN: Public Land Mobile Network

POS: Point Of Sale

PSP: Payment Service Provider

PSTN: Public Switched Telephone Network

SE: Secure Element

SSH: Secure Shell Network Protocol for Secure Data Communication

SSL: Secure Socket Layer Protocol

SWP: Single Wire Protocol

TGPP: Third Generation Partnership Program

TSM: Trusted Service Manager

TTP: Trusted Third Party

UE: User Equipment

UICC: Universal Integrated Circuit Card used in mobile terminals in GSM and UMTS networks

URL: Unified Resource Locator

WAE: Wireless Application Environment

WAP: Wireless Application Protocol

WDP: Wireless Datagram Protocol

Wi-Fi: Wireless Fidelity

WIM: Wireless Identity Module

WiMAX: Worldwide Interoperability of microwave access

WLAN: Wireless Local Area Network

WML: Wireless Markup language

WML: Wireless Markup Language

WPKI: Wireless Public Key Infrastructure

WSN: Wireless Sensor Networks

WSP: Wireless Session Protocol

WTA: Wireless Telephony Application

WTAI: Wireless Telephony Application Interface

WTLS: Wireless Transport Layer Security

WTLS: Wireless Transport Layer Security

WTP: Wireless Transaction Protocol