NFC Contactless Payment – PCI / EMV Security Standards

NFC contactless payments

Contactless payment, thanks to its ease of use, are becoming part of our everyday lives. Digital payments comprised of online, mobile and contactless cards are expected to hit $3,6 trillion in transaction globally this year. The global value of contactless payments is expected to hit $500 billion annually in 2017 from an expected $321 billion at the end of 2016.


 If today this trend is confirmed into an increasing number of debit, credit and prepaid cards, their generalization is already programmed in mobile phones. More than that, mobile phones can contain the information of several contactless cards in a virtual “purse”. Before making a payment, it is up to you to choose the card that you prefer to use.


In this logic, most bank cards are equipped by default with an RFID / NFC chip that makes it possible to make payments without having to enter its PIN code but simply by approaching it to the payment terminal.


Security cards and concerns


Obviously, when we talk about payment and storage of sensitive information, security is an important factor. Therefore, contactless card payments have the same features as the traditional smart card and PIN code, and transaction process takes place via the same secure networks. Contactless payments by mobile phone also benefit from comparable security features.


For additional security, your bank can set a limit on expenses that you can do without using a PIN, mobile code or fingerprint for verification purposes. For transactions above this limit, you are asked to enter your PIN, mobile code or use the fingerprint reader on your mobile phone. Although low value contactless payments typically do not require a PIN to be entered on the payment terminal, you may be required to do so after a certain number of transactions to verify your identity and prevent fraud. Plus, the European legislation limits the liability of the consumer to 150 euros in case of fraudulent or undesirable payments. This ceiling should be lowered by the end of January 2018. Consumers may even be better protected by national legislation. In addition, payment service providers can offer their customers better protection or even full protection in the case of fraud.


Together with all these precautions, you should always take the necessary steps to keep your PIN or mobile code and any other safety information in a safe place. Inutile to say that if your card or mobile phone is lost or stolen, you must notify your payment service provider (ie the bank or card issuer) as soon as possible.


PCI / EMV Regulatory and Security Standards


Here below are listed the PCI (payment card industry) and EMV (europay mastercard visa) Security Standards which are set to better protect merchant and buyer, in this digital age, from financial fraud.


a)      PCI / DSS Standard:  


Major international card organizations introduced the PCI DSS (Payment Card Industry Data Security Standard) in 2004 to enhance the security of card payments and protect traders and cardholders against data theft. This standard is constantly evolving to respond to threats, and its current version, 3.1, expires on 31/10/2016.

To comply with the standard, card processors, service providers and merchants are required to comply with 12 requirements. The requirements are the same since the standard was created, but are divided into sub conditions that evolve with the versions. Click here for more detail.


b)      The EMV standard


EMV (stands for Europay, Mastercard, Visa) is a technical standard that optimizes the security of card payments and data transfer. Data transfer and authentication intercede via the microprocessor of a chip. The debit and credit card data are stored twice: on the magnetic stripe and on the chip. If the payment terminal is equipped with a chip reader, authentication is done automatically via the EMV chip and not via the magnetic tape, which is now technically out of date.


This standard has now been adopted by virtually all credit card organizations and implemented in more than 80 countries. While the EMV compatibility of cards has rapidly spread to Europe, it has taken much longer to become established in the United States. Credit card fraud has therefore become massively displaced, proof that this standard is indeed an effective for security.


The EMV standard consists of 4 books, all of which contain specifications for chips used in payment systems:

Book 1: interface requirements between the card and the terminal independent of the application.

Book 2: security and management Key Features

Book 3: Application Specifications

Book 4: Cardholder, Attendant and Acquirer Interface requirements


The current version is 4.3 and was released in November 2011. While the EMV standard is virtually unchanged, which indicates its level of maturity, it is on the other hand extended by several others which are still fairly regularly updated. Click here for more details.


c)       The EMV Contactless Standard


This is an extension of the EMV standard, so it relies on all the specifications that make up the chip, and its specifications relate to the used terminals.

The EMV Contactless standard consists of 4 books:


Book A: Architecture and general requirements

Book B: Entry point

Book C: Kernel 7 specifications

Book D: EMV contactless communication protocol specifications


This standard brings together the NFC, which deals with how the devices communicate, and the EMV standard, which deals with how payment is made. It provides for the use of a card (equipped with NFC) or a smartphone. However, the case of using an NFC card does not entirely correspond to the definition of the contactless payment as set out in the introduction, since it recommends introducing the card into a terminal which communicates without contact with the reader responsible for performing the transaction (payment). In the EMV Contactless standard, communication is done in peer-to-peer mode.


d)      3D Secure


The 3D Secure (D for Domain) is also derived from the EMV, and has been made necessary to answer a problem with Internet payment on e-commerce sites. It addresses the problem of verifying that the person making the payment is the holder of the payment card.

•The client selects the type of card and communicate the card number, expiration, cryptogram

•The system verifies that the card is enrolled in 3D Secure

•If the card is accepted, the client is redirected to the site of his bank which sends him a code to validate his purchase

•The system records (for the log sent to the e-merchant)

NB: If this standard does not concern contactless payment, its presentation is interesting in the context of online shopping.