Tap to Pay History
Contactless payments started back in 2003 when Financial Institutions (FI) began to pilot the technology in the forms of key fobs and small tags, they weren’t put on a card until 2005.[1] Such a slow rollout was due to the limited availability of contactless cards and low merchant acceptance. By 2014, the same time that Apple Pay was getting ready to launch which could bring mass market appeal and attention to contactless payments, FIs also sought to integrate with the main card manufacturers, Europay, Mastercard, and Visa. With these two efforts in effect adoption has grown widely in the US since 2014 and now 99% of the top 200 U.S. retailers by transaction volume are contactless ready!
How it Works
Tap to Pay (TTP) uses both cryptography and physical hardware to achieve a secure level of communication over a short distance. RFID is composed of 3 components:
Transponder (tag) – The device that houses information that can uniquely identify itself
Transceiver (reader) – The device to capture the communication with the tag
Atenna – Connected to both a transponder and transceiver to broadcast / capture data
The reader gives off an electromagnetic field for tags to come into proximity with. Tags can be of a couple different types. Active tags have an internal battery that pushes signals to an antenna to be broadcasted; an iPhone would be an example of using active RFID. They have the benefit of being turned off to prevent a reader from taking data without the user’s awareness. Passive tags have no power source, and are activated by the electromagnetic field that is produced from the reader which causes currents to flow to emit a small amount of data. Usually the maximum amount of data a passive NFC tag can hold is around 8kB (for reference, an 8GB flash drive is 1 million times the size). The shelf life of passive tags are considered to be as long as the internal components stay undamaged.
Concerns
A common concern for contactless cards is that it enables individuals to steal information via close proximity. When it comes to devices such as phones that use active RFID this is less of a problem because when the user is not intending to perform a transaction, no signal is being broadcasted for nefarious actors to steal transaction information; however, when considering passive RFID systems such as contactless credit cards through EMV, this is a legitimate concern. It is called RFID Skimming and it is possible to obtain information from an unknowing individual. Thankfully though, from my reading (both reviewed and non-reviewed publications) it seems that cryptography is deployed to combat these kinds of attacks. If you want technical details I encourage anyone to take a look at my sources.
Conclusion
Contactless is here to stay, and it provides 3 major benefits that I have found. In a pandemic ridden world, reducing physical touch and transaction of objects is important. These contactless systems accelerate the volume of transactions that can be processed by speeding up the physical interaction between the seller and purchaser. Next, when it comes to active RFID via services such as Apple Pay and Google Pay, bio-authentication on a phone adds another layer of security to an already well tested and secure purchasing system. There is a really interesting technical difference between how Google and Apple approach security that can be found in the third reference on the second page, but let it be known there are more than one ways to skin a cat(6) when it comes to security (for all the networking nerds out there I hope that got a chuckle). And lastly, there is reduction of plastic waste from producing physical cards, should we reach a point where virtual cards can be issued and can be added straight to our mobile devices.
Sources:
[2]
[3]
http://lersse-dl.ece.ubc.ca/record/315/files/usec2017_paper.pdf