The Issuers’ Guide to Mobile-Based Tap-to-Pay Transactions

2023 saw rapid growth in tap-to-pay, or contactless card payments. Mastercard reported that contactless payments represented over 60% of all in-person switched purchase transactions on their network¹. Similarly, Visa reported that 45% of all their in-person transactions in the US are tap-to-pay transactions²; they also reported that users who use tap-to-pay tend to make, on average, two additional transactions and spend more dollars per month.

Mobile-based tap-to-pay payments are a subset of contactless payments and an important growth driver of the category. The CFPB published a report specifically on mobile tap-to-pay payments in the US in September 2023³; in it, they cited a Juniper research report stating that the value of digital wallet tap-to-pay transactions will grow by over 150 percent by 2028⁴.

Trends and expert forecasters have called 2024 the year of tap-to-pay transactions, anticipating a perfect storm of consumer demand, merchant enablement, and technological advances that make issuance cost-effective and fast. This blog breaks down the hype around mobile wallet tap-to-pay, explains the tech that makes consumers love it, and highlights the capabilities issuers need to ride this trend.

What is mobile tap-to-pay?

Contactless payments can be made using cards (by tapping your card on the point of sale (POS) machine instead of dipping or swiping it) as well as using mobile wallet applications (by adding your card to Apple Pay, Google Pay or Samsung Pay mobile wallets). 

Mobile wallets allow users to ‘add’ their cards to the wallet application, which then tokenizes the card to save it securely. At the time of transacting, the user simply unlocks the mobile wallet, selects the card they wish to pay with, and taps the mobile device on the POS machine. The wallet uses the mobile device’s in-built Near Field Communication (NFC) capability to communicate with the NFC-enabled POS machine and securely relay the card credentials. We explain this in more detail in the following sections. 

With a card added to a mobile device, a mobile tap-to-pay transaction is different from card-based tap-to-pay in the following ways:

• Higher security: Contactless payments made using mobile wallet applications are deemed to be more secure than contactless payments made using cards. This is because mobile wallet applications share tokens (not PAN) with the NFC reader on the POS machine.
• Convenience: Mobile wallets allow users to add any contactless-enabled card to their device, removing the need to carry physical cards in their wallet. 

Another factor driving the adoption of mobile tap-to-pay is that it does not require any additional setup on the merchant’s side; any POS device enabled for contactless card tap-to-pay can also accept mobile tap-to-pay transactions.

Issuers’ view of mobile tap-to-pay tokenization

We introduced tokenization in card payments in our previous blog. In brief, tokenization replaces the card PAN (primary account number) with a payment token in information exchange during a payment. This ensures that the most valuable information that fraudsters are seeking is inaccessible. 

Even if the fraudsters were somehow to get the token itself, they would not be able to use it since the token is valid only within pre-defined constraints (specific merchant, specific consumer device, etc.). Moreover, issuers and cardholders can continue to use the original card (no need to replace the card) as new tokens can be issued.

In our previous blog, we also covered an entity view of tokenization in card payments, with a specific focus on the issuers’ role in it. Tokens are generated by token service providers (TSPs), while issuers manage cardholder onboarding, token provisioning, and token lifecycle management.

In the case of mobile tap-to-pay transactions, TSPs issue a token to be used only from a specific cardholder device. This token enables the cardholder to use a wallet on their mobile device to make contactless payments at a POS terminal. This token is issued when the cardholder ‘adds’ a card to their mobile wallet.

However, for a user to be able to add their card to a mobile wallet, the wallet has to be registered with the card issuer and their TSP first.

Issuers’ view of mobile wallet onboarding 

Apple Pay, Google Pay, and Samsung Pay are the dominant mobile wallet applications that allow users to make contactless payments at POS terminals. There are significant differences in how Apple Pay works from the rest. We cover this in a subsequent blog, but for now, we will focus on how these wallets enable contactless payments in general.

When a cardholder adds a card to their mobile wallet application, the wallet pings the issuer and requests for a token that is uniquely generated for the cardholder’s current device. Note that this token cannot be used on any other device or by any other user.

In this process, the wallet performs the role of a Token Requestor (TR) (also covered in the entity view of tokenization in our previous blog). To be able to successfully add a certain issuer’s cards to the mobile app, the wallet needs to:

• be registered as a TR with EMVCo
• be registered as a TR with the TSP of the issuer bank, wherein the TSP issues a unique token requestor ID to the wallet app. Please note that the wallet app needs to work with each issuer bank to register with their respective TSPs.

Once the wallet is registered as a TR with EMVCo, the issuer bank, and the issuer’s TSP, every time a cardholder adds a card from that issuer to their mobile wallet, the wallet makes an API call with the TSP. In this API call, the wallet has to pass the PAN, PAN expiry date, and consumer device information (secure element ID, unique device identifier, Mac address, operating system version, etc.) to this API and receives a token and token expiry date in response.

The wallet stores this token in a safe and secure manner on the mobile device. There is a difference in how Apple stores these tokens on iPhones and how these tokens are stored on Android devices. We will discuss the differences in the next blog. For now, let us understand that this token is stored securely on the card holder’s mobile device on a ‘secure element’ (the technical term for Android devices is ‘host card emulator’, perhaps a topic for another blog).

Mobile tap-to-pay transaction flow

When a cardholder selects an added card from their mobile wallet and taps their phone on a POS terminal, the wallet passes the token and token expiry date received from that issuer’s TSP to the terminal. The terminal, in turn, initiates an ISO 8583 payment request to the network scheme – setting off the standard card payment authorization flow. But let’s look a little deeper at what happens during this one-second tap.

The POS terminal communicates with the cardholder’s mobile device using NFC technology. The mobile device has an NFC controller, which can communicate with the NFC reader on the POS machine. The NFC controller tries to access the ‘secure element’ on the mobile device; to allow this, the cardholder needs to unlock the phone and authenticate themselves using the phone’s native security capabilities like Face ID, Touch ID, passcode, or device unlock pattern, before tapping the phone.

Upon tapping, the ‘secure element’ passes the token and token expiry to the NFC reader. The POS terminal initiates an ISO 8583 payment request to the network. This ISO 8583 message has a few additional fields to indicate to the network scheme that a token, token expiry, and other details are being passed in the request.

The typical payment flow is then initiated with the acquirer, network scheme, and issuer. Upon authorization, the POS terminal finally receives the payment authorization response code in ISO 8583 format, and the cardholder can see the payment status on the POS terminal and their mobile device.

You can read more about the information exchange in ISO8583 format in this previous blog.

Issuing cards for the future of contactless payments

A study from Juniper Research forecast that the number of unique contactless mobile payment users globally will cross 1 billion by 2024; growing at a rate of 60% from 782 million in 2022⁵.

The larger issuers in the US have been aware of the trends around contactless payments and most of them today issue contactless-enabled cards by default. There is still significant room for growth in the issuance of contactless cards, however, with Retail Banking Research (now Datos Insights) having predicted that 81% of all cards globally will be contactless in 2026, with the fastest growth occurring in the American continent⁶. 

Contact us to know how Zeta helps issuers offer cards enabled for the future of contactless payments.

Footnotes

1. Pymnts.com, Visa, Mastercard Earnings May Spotlight Contactless Payments Momentum | PYMNTS.com | October 2023
2. Pymnts.com, Visa Direct Transactions Grow 20%, New Flows a $200T Opportunity | PYMNTS.com | January 2024
3. Consumer Financial Protection Bureau, Big Tech’s Role in Contactless Payments: Analysis of Mobile Device Operating Systems and Tap-to-Pay Practices | September 2023
4. Juniper Research, Digital Wallets Market Report: Growth, Trends 2023-2028 | July 2023
5. Juniper Research, Contactless Mobile Payments to Surpass 1 Billion Users for First Time in 2024 | Press | November 2022
6. RBR London, COVID-19 Speeds Up Contactless Rollout Globally | February 2022