Introduction
Contactless payment systems have evolved into a popular method of payment across the United Kingdom and internationally (CPSS 2012). Many merchants, including ExxonMobil, McDonald’s, Burger King, AMT Coffee, Tesco, Subway and other notable members of the hospitality, production, energy and other industries accept this form of payment (Anderson 2015). The most influential members of the international financial community, including MasterCard, Citibank, American Express, JPMorgan Chase, Barclays Bank, Visa and other institutions, involved in banking and financial sector, power the system (Dapp 2012; Chaudhyry 2012). The commentators anticipate that by 2020 every third transaction online and offline will be processed with help of different contactless payment systems (Financial Conduct Authority 2014).
The system has many obvious advantages. Among other features, the analysts commonly highlight increased time efficiency (Chwan & Irwin 2013) (a transaction is completed much faster than if the parties use cash or traditional PIN-protected credit/debit card purchase), customer satisfaction (Birykov 2015), transaction transparency (Lee 2015) and many others. Yet, others argue that mass adoption of this system if fraught with serious dangers, among which security concerns and lack of privacy are the most conspicuous.
The objective of this research is to discuss adaptability of the contactless payment system to vehicles advertising website. The first part provides general description of contactless payment systems, explains how the system functions, what are the prerequisites of its deployment for this project, speaks about the applicable legal framework and reveals basic technology issues. The second part of this report analyzes key stakeholders of the project and discusses the main aspects concerning usability of the proposed system. This third part aims at providing an explanation of how contactless payment system will be integrated with the web site, and what advantages and disadvantages this system entails.
Contactless Payment Systems in a Nutshell
A typical contemporary contactless payment system comprises credit/debit card or other device, which supports radio-frequency identification technology, or near field communication technology (Lauden & Traver 2014). A specially constructed chip, which transmits the signal, is embedded into the card, fob, chip or other supportable device. In order to process a transaction, a consumer should wave the devise over a receiving mechanism – the reader, which is located at the point of sale (Guadamuz 2013).
For a transaction to occur, an operator of a merchant’s terminal types a command, which is sent to the card, where the balance is stored. After the card is weaved around the terminal, the balance is withdrawn, and a note is recorded into the log of transactions (Mobile Transaction 2015).
In order to protect the cardholder from potential cyber interceptions, each transaction is validated by a unique, dynamic code, which changes every time a transaction starts (Ofcom 2014). Typically, a distance of 4 cm is sufficient to process a payment request (Mobile Transaction 2015).
Near-field communication (NFC) is a core element of this technological solution, when transaction involves use of a mobile phone and a sales terminal (Miller, Cross & Hollowell 2014). With use of short-range radio frequencies, a gadget, which is capable of reading data, earthed on the tag of another device RFID technology (radio frequency identification) technology is in manufacture of contactless credit/debit cards, vouchers and other items, which are not smartphones or other devices with integrated operation memory. Both NFC and RFID protocols transfer data by means of inductive coupling (Anderson 2015). When electricity current passes though the magnetic panel, induction occurs (Delamaire, Abdou & Pointon 2009).
A gadget, which is outfitted with a special chip and coil of wire, and a receiver (in our case, a terminal station) has a magnetic panel and a coil of wire respectively (Norman 2013). When user places the gadget within several inches of the payment terminal, a jumping electric current closes the circuit, and a radio wave passes from the gadget to the terminal station (Ofcom 2013).
At the same time, NFC-based connectivity has several advantages over RFID. The most important aspect is that it supports two-way communication channels (The UK Card Association 2012). In practice, a payment terminal can send signals to the device, as well as it is capable of storing the history of transactions.
Overall, it is evident that the system supports both plastic cards, which are thought to be the most popular contactless payment solutions and electronic gadgets like smartphones, where digital balances of a user may be stored.
Firstly, because the project mostly focuses on the United Kingdom market, it is important to know which financial institutions issue debit or credit cards equipped with such technology, and what types of gadgets support it.
With regard to the financial institutions, the research revealed that the following banks and card-issuers support this technology (Payments UK):
Barclays Bank
HSBC Holding
Standard Charter
Secure Trust Bank
Virgin Money
Weatherbys
Moreover, some ‘unconventional’ payment systems (which, considering their popularity is quickly becoming conventional) include PayPal, Payoneer and Google Wallet. All of them support digital interfaces, as well as the payment providers issue contactless cards upon a user request (The UK Card Association 2012).
The second stem involves integrating a contactless payment system with the website. Depending on the coding of the system, it may be implemented via various methodologies and frameworks. The payment systems discussed in this report have well-developed frameworks, which may be easily integrated into the web-application architecture. Despite the fact that the integration is somewhat time and resource consuming, on condition that experienced and professional developers are available, this application is expected to be realized without serious technological complications. Several vendors, operating in similar fields of e-commerce have already implemented this system, and their case studies are available for further analysis and imitation. Moreover, because contactless payment systems are of great academic interest for many software enthusiasts, therefore, useful open-source data is freely available.
Finally, when the system is integrated, a series of testing should be organized (Nissanoff 2006). Implication of experienced and professional quality assurance agents is critical in this regard (Miller, Cross & Hollowell 2014). All payment options should be tested separately and under different working scenarios. For instance, it is essential to take into consideration that not all users use Google Chrome as the main web-browser. Although the popularity of Windows Explorer, Opera and Mozilla Firefox is steadily declining, their market share is still significant.
Customers and Managers User Experience
The coalescence of practice and theory shows that successful user experience shows that the concept of user experience is a critical component of any successful web-based project and product ownership framework. Conceptually, it includes various practical, experiential and affective elements of interaction between a computer and a human being (Lauden & Traver 2014). In addition, it also includes individual perceptions of a user regarding the system ease of use, efficiency and security. It has two necessary features, which should be always taken into consideration by the project developers.
Firstly, user experience is always subjective, meaning that individual perception and thought of a user determines whether he likes a product or not (Kotler 2009). Thus, it is clear that it is impossible to create a product, which suits interests of all potential users. However, the research demonstrates that making a product, which suits interests and desires of the majority, is a feasible scenario (Lee 2015). Secondly, user experience is always dynamic, which means that it constantly modifies (Miller, Cross & Hollowell 2014). Therefore, it is important to create a system, which is modifiable, i.e. the developers should be capable of introducing various changes and enhancements if informed by the company analysts.
There are several important user expectations inherent to both the users and the system administrators. In particular, the system should be safe, aesthetically appealing and technically reliable.
Safety of the System
The generalized conclusion of contemporary research relating to safety and security of contactless methods of payment is that they are mostly reliable (Lee 2015). To quantify the results, several co-joint researches found out that less then one cent is stolen from each hundred dollars spent through contactless payment systems. Yet, the analysts highlight that despite some strong features of the system, it has several serious vulnerabilities (Norman 2013; Laudon & Traver 2014).
As discussed before, contactless cards use NFC-based standard. The card has an integrated chip, which is responsive to the signals dispatched by the terminal at 13.56 MHz range of frequency (Mobile Transaction 2015). Despite the fact that various systems apply their own frequency standards, the core of the technology is the same for Visa, MasterCard, American Express or any other cards.
Accordingly, the first defensive solution applied by the card issuers is merely physical. In order to process a transaction, the card should be placed in close proximity to the card (Dapp 2012, Biryukov 2015). Therefore, making payment in a clandestine manner becomes considerably difficult. However, in the meantime a dedicated technician can assemble a customized reader, which is capable of transmitting a radio wave within a considerably longer range (Biryukov 2015). Thus, a team of researchers from the University of Sidney conducted an experiment, which resulted in the development of a compact scanner, capable of reading and sending the data within 0,8 meters.
The analysts from Kaspersky security laboratory garnered serious concerns regarding this issue. Such a device may issue multiple requests to wide array of cardholders in densely crowded places like airports, shopping malls etc. If this device is ever got into hands of the criminals, the victimization rate can become unpredictably high.
Dedicated Spanish hacking specialists Ricardo Rodrigues and his close associate Jose Villa have developed an interesting and comparatively sophisticated method of sending signals to a contactless card. Thus, the vast majority of smartphones manufactured today are equipped with and NFC module (Lee 2015). It is natural, that many smartphones are often hold in close proximity to a wallet with the cards. In accordance with Villa’s algorithm, an Android-powered smartphone becomes infected with a special Trojan Virus. Then, when a used places his compromised device near the card, a scammer may start making transactions placing his NFC-equipped smartphone near the terminal station. This Trojan virus is distribute via traditional methods, mainly malware distribution and downloading of hacked paid applications. Every user operating Android 4.4 or higher may be victimized.
Physical proximity is not the only one defense in protection framework of contactless payment cards. A more serious task for a hacker is to bypass the encryption systems. The research shows that the cards are protected by the same EMV standard, which is used in protecting regular plastic cards, with integrated EMV chips. While it is not too difficult to have a magnetic line duplicated, cloning the chip is a difficult task. When a request from a payment terminal is received, the chip generates a one-time key, which can be intercepted, but which will be invalidated for the next transaction (Ofcom 2014). Despite the fact that various researchers have voiced many concerns about the security of EMV systems, not a single case involving real life breaking of an EMV-based card are still unknown.
However, it important to stress one important security concern. Conventional NPV-based cards have a two-tier system of protection, which involves a PIN code and an encryption key (The UK Card Association 2012). The second one is inputted by the user. However, in the situations involving contactless payment cards, the protection is limited to the interchange of encryption keys between a payment terminal and a card.
Theoretically, there is a possibility to create a terminal, which technical characteristics will allow to read the NFC data virtually from pockets of users. In the meantime, such a system should have ‘recipient’s’ encryption keys, which are issued by an acquiring bank and a payment system. Thus, any potential scam may be easily investigated, should someone decide to use in fraudulent means (Chaydhury & Kuilboer 2012).
A generalized conclusion is that it is practically impossible to intervene into the system and withdraw funds without authorization, provided that the perpetrators of a scam are not working for a financial institution, which issues terminals.
Usability of the System
In accordance with the definition developed by the International Organization for Standardization defines the concept of usability as capabilities of a product to achieve user’s goals effectively and efficiently (Card, Moran & Newell 1983). In accordance with today’s understanding of usability, its proper implementation has five primary dimensions:
The aspect of learnability. It should not be difficult for the new users to accomplish the most basic tasks, when they encounter the system interface for the first time.
Efficiency aspect means that when the users have mastered the design, they should perform the tasks as quickly as possible.
The design should be memorable, i.e. when an average user returns to the design after a period, during which he had not used the system, restoring his proficiency should not be a challenging task.
The number of errors made by the user should be minimal. Yet, if any errors do take place, their severity should not significant, and recovering from these errors should not be too time or resource consuming.
Finally, users should be satisfied aesthetically and be in general state of gratification when the program is in use.
Thus, the team should identify all potential errors, mismatches and discrepancies with these five principles during the testing stage. Improving user experience and usability of the system should be prioritized in each upgrade or patching of the system.
Conclusions
Safety and security of the system are central issues pertaining to this case. Today’s research shows that although the system lacks traditional double protection (PIN phase is removed), today there are no reliable methods for a laymen to hack the system. Even if someone develops an algorithm capable of intervening into the interchange of signals between terminal and card, withdrawing money is possible only when a cyber assailant works for a financial institution, and has access to the encryption codes.
With regard to user experience and usability of the system, the developers should stick to the five principles of effective and convenient user interface. Provided that they are duly observed, the developers have high chances of making a commercially successful product.
Bibliography
Anderson R, 2015, Risk and privacy implications of consumer payment innovation. Web. Retrieved from https://www.cl.cam.ac.uk/~rja14/Papers/anderson-frb-kansas-mar27.pdf
Biryukov V, 2015, Are contactless payments safe? Web. Retrieved from https://blog.kaspersky.com/contactless-payments-security/9422/
Card,SK, Moran TP & Newell A, 1983, The psychology of human-computer interaction. Hillsdale, NJ: Lawrence Erlbaum Associates.
Chaudhury, A. & Kuilboer, 2012, E-business and e-commerce infrastructure : technologies supporting the e-business initiative, Oxford: Oxford University Press
Chwan & Irwin, J, 2013, Introduction to computer networks and cybersecurity. Boca Raton, FL: CRC Press.
CPSS, 2012, Redbook - Payment, clearing and settlement systems in the United Kingdom. Web. Retrieved from https://www.bis.org/cpmi/publ/d105_uk.pdf
Dapp, DF, 2012, The future of (mobile) payments New (online) players competing with banks. Web. Retrieved from https://www.dbresearch.com/PROD/DBR_INTERNET_EN-PROD/PROD0000000000298950/The+future+of+(mobile)+payments%3A+New+(online)+players+competing+with+banks.PDF
Delamaire L, Abdou H, & Pointon J, 2009, Credit card fraud and detection techniques: A review. Banks and Banks Systems. Web. Retrieved from http://businessperspectives.org/journals_free/bbs/2009/BBS_en_2009_2_Delamaire.pdf
Financial Conduct Authority, 2014, A new regulatory framework for payment systems in the UK. Web. Retrieved from https://www.fca.org.uk/static/documents/psr/psr-cp14-1-cp-a-new-regulatory-framework-for-payment-systems-in-the-uk.pdf
Guadamuz A, 2013, Electronic Money: A viable payment system? Web. Retrieved from https://www.era.lib.ed.ac.uk/bitstream/handle/1842/2255/electronicmoney.pdf;jsessionid=941BFB612EC97C76E8775829C4C85E8E?sequence=1
Kotler P, 2009, Marketing management. New Delhi: Pearson Prentice Hall.
Laudon K & Traver C, 2014, E-commerce : business, technology, society, London: Pearson.
Lee N, 2015, Counterterrorism and cybersecurity : total information awareness. Cham: Springer.
Miller R., Cross F. & Hollowell W, 2014. The legal and e-commerce environment today : business in its ethical, regulatory, and international setting. Cambridge: Cambridge University Press
Miller S, 2000, Law & the Internet: a framework for electronic commerce law. Hart Publishing, London.
Mobile Transaction, 2015, Contactless payments taking off in the UK in 2015. Web. Retrieved from http://www.mobiletransaction.org/contactless-payments-uk/
Nissanoff D, 2006, FutureShop : how the new auction culture will revolutionize the way we buy, sell, and get the things we really want. London: Penguin Press.
Norman D, 2013, The design of everyday things. London: Basic Books
Ofcom, 2014, Innovation in UK consumer electronic payments. Web. Retrieved from http://stakeholders.ofcom.org.uk/binaries/research/technology-research/2014/e-payments.pdf
Payments UK, 2015, World Class Payments in the UK Enhancing the payments experience. Web. Retrieved from http://www.paymentsuk.org.uk/sites/default/files/World%20Class%20Payments%20in%20the%20UK_Payments%20UK%20August%202015.pdf
The UK Card Association, 2012, Contactless limit on debit and credit cards goes up to £20. Web. Retrieved from http://www.theukcardsassociation.org.uk/wm_documents/Contactless%20limit%20-%20final.pdf