Android Pay contactless payments to touch the UK

Just to record, the official start of Android Pay in the UK, for mobile-based contactless payments, is promised “in the next few months”.

Google launched the system in the US in September 2015, with a rollout to other territories always intended to follow.

Android Pay UKLike Apple Pay, the NFC-based system uses tokenisation, i.e. that when you tap your phone for a small payment your associated account details aren’t transmitted. A temporary token is used instead.

Unlike with Apple Pay, Google has chosen to generate tokens in the cloud so some element of connectivity is required, although it seems that the Android Pay app will be able to access a limited number of stored tokens on the device.



Google uses what it calls a Virtual Account Number.

Instead of giving merchants the buyer’s actual backing credit card, Google creates and passes a Virtual Account Number that can only be used for the specific purchase for which it was issued. Using this account number, merchants can process payments with their existing payment processor.

Also unlike Apple Pay, Google doesn’t charge a levy for each transaction whereas Apple apparently charges (0.15 per cent) for use of Apple Pay, which is borne by the retailer. Google presumably sees enough value in harvesting the data itself.

The technology lets users track their last 10 transactions.

Credit and debit cards

“We’re bringing together payment networks, banks and retailers to help you pay simply and securely,” says Google.

In a blog post snappily entitled “Tap. Pay. UK.“, the company expands on the system. Pali Bhat, Senior Director Product Management, writes:

Android Pay will support MasterCard and Visa credit and debit cards from many of the UK’s major financial institutions — including Bank of Scotland, First Direct, Halifax, HSBC, Lloyds Bank, M&S Bank, MBNA and Nationwide Building Society — with new banks being added all the time.

You will be able to use Android Pay everywhere contactless payments are accepted, including your favourite places at which to shop and eat every day, such as Boots, Costa Coffee, Waitrose, and more. You can also tap and pay as you go across London on the Tube, buses and trains, using Android Pay with Transport for London (TfL).

There is an Android Pay API developer site for those looking for more information.

Encryption Scheme specification

For example, Google has supplied some details of the Encryption Scheme specification involved in Android Pay.

android pay overview ib-overview

The company says it uses “Elliptic Curve Integrated Encryption Scheme (ECIES) to secure the payment method token returned in the full Wallet response”. The following parameters are involved (to quote Google):

  1. Key encapsulation method used is ECIES-KEM, as defined in ISO 18033-2
    • Elliptic curve: NIST P-256 (also known in openssl as prime256v1)
    • CheckMode, OldCofactorMode, SingleHashMode and CofactorMode are 0
    • Point format is uncompressed
  2. Key Derivation Function
    • HKDFwithSHA256, as described in the RFC, using the parameters below:
      1. salt should not be provided
      2. info should be Android, encoded in ASCII
    • 128 bits should be derived for the AES128 key and another 128 bits should be derived for the HMAC_SHA256 key
  3. For the symmetric encryption algorithm, use DEM2 from ISO 18033-2 with the following parameters:
    • encryption algorithm: AES128 CTR with zero IV and no padding
    • mac algorithm: HMAC_SHA256 using a key of 128bits (as derived in 2)

Payment processors supported are:

ADYEN BRAINTREE CARDSTREAM CYBERSOURCE ELAVON FIRST DATA GLOBAL PAYMENTS JUDO SIMPLIFY STRIPE VANTIV WORLDPAY ZOOZ

Note that the associated Android Pay app requires Android “KitKat” 4.4 or later, and you can see if your phone supports the app by visiting Google Play to see more details.

Samsung Pay on the horizon

Another system to note, beyond Apple Pay and Android Pay, is Samsung Pay, the contactless system originating in South Korea. It has already rolled out in the US and there are indications it will appear in the UK “soon“.

“Both Apple and Google rely on the existence of near-field communication (NFC) technology that also needs to be installed at the point of sale,” comments Markos Zachariadis, Assistant Professor of Information Systems at Warwick Business School. “This at the moment creates a barrier as not all retailers have NFC-compatible terminals since there’s no regulation to force them.”

“The exception to the rule is Samsung Pay which utilises a unique technology (MST) that will allow users to use the existing magnetic-strip technology to make payments where NFC capability is not there. In addition, the collaboration of banks and card issuers is demanded, which is there, but again rather slow in most cases.”

What is not clear is whether any of the new systems will really gain traction with general consumers.

“Google and Samsung will put pressure on retailers to adopt newer technologies and make the customer experience more seamless,” added Zachariadis, who researches pay technology.

“The real push, however, will come when additional capabilities will be added onto the payment applications by interacting with other retailer and loyalty apps, thus avoiding to have to insert card details every time you need to make an online or in-phone payment via an application. Change is going to eventually come but maybe it will be somewhat slower than anticipated.”

See alsoAndroid Pay launches, in the United States

 


Leave a Reply

Your email address will not be published. Required fields are marked *

*