Operational Challenges of Tap to Phone
We’ve talked at length in previous blogs about the opportunities to use phones and tablets with near-field communication (NFC) interfaces for payment acceptance, as well as the security requirements and challenges that such systems face. However, operational challenges accompany the use of nondedicated hardware for use in payments. A payment terminal goes through exhaustive testing under EMV Level 1, checking that the physical interface used to interact with the card is sufficiently robust under many different circumstances. For contactless payments, this means testing the ‘contactless volume’ the terminal produces, which is the area above the terminal contactless antenna above which a payment card can be powered and operated.
In EMV Level 1 contactless testing, this contactless volume must be sufficient to operate a card at 4 cm above the center of the contactless antenna.
Experiment setup — you’re holding it wrong?
However, commercial off-the-shelf (COTS) payment devices are not required to go through EMV Level 1 testing and therefore often have much reduced contactless volumes. This is well understood — they are just not as good as dedicated payment terminals in accepting contactless card payments (because of this reduced contactless volume) — but what exactly is the difference between the two payment acceptance types? In this blog, we discuss the testing we have performed on a number of COTS devices using a variety of different payment instruments to get an idea of what type of operational difference can be expected in real-life operating conditions.
For this experiment, we used various different types of payment instrument formfactors as well as various COTS devices for reading the payment instruments. Each payment instrument was tested with a card reading application at different distances from the NFC antenna of the COTS device (0.5 cm, 1 cm, 1.5 m and 3 cm) and at four different horizontal orientations.
Experiment results — ill communication
As these experiments are designed to gain an indication of the effectiveness of COTS devices for reading contactless payment instruments and have not been performed in fully controlled environments under ISO 17025 quality control, we have not provided the names of the phone and card brands we used for this testing. The goal of this testing is not to compare different brands of phone but to get a feeling for how well a COTS payment system may actually operate in comparison to a dedicated payment terminal.
Our testing found that COTS devices are not as capable as dedicated payment terminals in terms of reading contactless payment cards, with over 40% of all attempted card reads failing. However, the data is more nuanced than that with indications that the type of payment instrument used, the orientation of that instrument, the distance from the COTS reader and the specific brand/model of the COTS device used as a reader are all important factors in how well these devices work for payments.
Payment cards were found to be the most troublesome payment instrument to use with COTS based contactless applications. This is not surprising given that a payment card does not have its own power source. The card must draw wholly on the power provided by the reader contactless volume to both perform the necessary processing and operations, as well as for transferring data back and forth to the reader.
What is perhaps more surprising is that some COTS based payment instruments — both smartphones and smartwatches — did not fare much better than ‘traditional’ cards, despite having their own power sources. The antenna design and placement in the COTS payment instruments used may likely be a factor, which speaks to the fact that testing of these antennas can be very important to their operability in payments.
The results also reflected this when examined from the point of view of the readers used – some COTS devices were much better at reading payment instruments than others. Below we chart different models of COTS devices from three different vendors, showing that some devices had a greater than 80% success rate with reading the presented payment instruments and some only just exceeded 60%.
The distance from the COTS device was also found to be important, which is unsurprising given that even dedicated payment terminals are expected to work with a card held no more than 4 cm from the terminal contactless landing zone. However, some surprises remain, and payment instruments appeared to read less reliably when held directly against the COTS reader while some phone models worked much better at a distance than others. In our tests, holding the payment instrument about 1 cm away from the COTS reader produced the most reliable results in reading the contactless data.
Finally, the orientation of the payment instrument was found to have a significant effect on the reading as well. It is expected that this finding can be largely attributed to the smaller contactless volumes combined with slight offsets of antenna position found on different devices –turning a card or phone around in a reader field repositions the antennas within the volume, affecting its ability to interface with the field.
Summary — turning on the tap
So, what do these findings mean for COTS payments moving forward? Is this new payment method relegated to providing poor customer experiences through multiple read failures while the merchant does the card orientation dance to find the sweet spot of the contactless volume on their device? We don’t believe that needs to be the case, but these findings suggest COTS tap-to-phone implementations need to consider more than merely the aspects of security and EMV functional certification.
Rapid, high volume environments may not be ideal places to use COTS-based payments for now, at least until NFC interfaces of COTS devices are improved. However, in the short to medium term, the way that the technology is implemented and used can still mitigate many of the issues we have found through the performance of this testing.
Best-in-class implementations will consider how to train the merchant to correctly use their device for reading cards, using a training mode perhaps with additional guidance for common device types. Merchants or acquirers deploying COTS payment solutions may be well served by performing their own user experience testing, using a mix of different payment instruments that are common in their business and geographic environment.
UL has extensive experience performing operational validation testing for mobile issuance systems, testing their ability to be easily used in real-world environments. We would be happy to work with implementers and deployers of tap-to-phone systems to not only help them produce compliant solutions but also confirm their solutions will meet the market demands for simple and friction-free payment experiences.