< Back

NFC and EMV, what they should mean to you

The Weekly Byte – October 2015 # 1

Welcome back to the Kelley Brothers IT blog!

I am going to launch a new series called The Weekly byte.  In this series we will cover hot topics in the world of tech.  Speaking of hot topics, there really isn’t anything hotter right now then security, everyone is worried about security.  So the question is, how to stay secure.

It’s in the news every day, “ABC Inc. has revealed that XX million client files have been stolen.”  And they say that they will provide identity theft recovery services etc.  But at that point the damage has already been done.  The problem is that these breaches are happening with some of the biggest companies in the country.  So how are you supposed to prevent the theft of your PII (personally identifiable information) from your every day stores?

There are a few new technologies that are starting to become prevalent, I say “new” but they have actually been around for years.  Those “new” technologies are NFC payment systems and EMV equipped credit/ debit cards.  I will cover both of those items in greater detail shortly.

I know quite a few of you probably clicked on this article expecting a story on Virus softwares etc.  but I believe that most of you know that you need to run a virus protection program and already do so (if not CALL ME!!).  But many of you are unfamiliar with these new terms being thrown around regarding payment methods.  So let’s get to it:

What is NFC?

NFC stands for “Near Field Communications”  and according to wikipedia it is “the set of protocols that enable electronic devices to establish radio communication with each other by touching the devices together, or bringing them into proximity to a distance of typically 10cm or less.”.  So essentially it allows you to make a payment without swiping or dipping (we’ll cover this later) a card.  NFC was first seen in credit/ debit cards displaying this logo:

Unfortunately due to the craftiness of thieves this payment method never really caught on.  But with the recent integration of fingerprint identification on smart phones, it is now coming back full speed.  The two heavy hitters in the NFC department are Apple and Google, each offering their own respective service.  So we have Apple Pay and Android Pay.

The big advantage that both services offer in regards to security is called tokenization.  What this essentially means for you is that when you make a purchase with either Apple Pay or Android Pay, your credit card number is never given to the merchant.  Instead they are given a randomized number known as a “token” which verifies that your information is valid.  So if that merchant ever has a security breach all the thief will get is a random string of numbers unassociated with you.  Both services offer this feature but they also have their own unique perks.


Apple Pay

Apple pay was released by Apple alongside the iPhone 6 and 6 plus.  essentially you store all of your credit cards in the wallet app( previously known as passport) on your iPhone and you can then pay with Apple Pay.

How it authenticates payments:

  1. Using your passcode
  2. Using touch ID

Apple pay requires that you at least set a passcode on your phone but I recommend setting up touch ID.  Touch ID is simply Apple’s fingerprint authentication system and it can be found under Settings -> touch ID & passcode.

Once everything is set up, the process for paying is as simple as tapping your phone to the terminal while holding your finger on the home button.  The phone will make a bell sound and vibrate when a payment is successfully made.  Here is a video from Apple showing the whole process, click here.

Another unique feature for Apple Pay is that it does not require a cell network or wifi once your cards have been added to the wallet app.  So if you’re traveling through the desert with spotty cell service (which I have done many times) not to worry!  Apple Pay will still work.

This is because the Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in the iPhone and AppleWatch, and when a payment is initiated, the token is passed to the retailer or merchant.  So no internet connection is required on your end.


Android Pay

Android Pay has just recently started to roll out to devices.  So right now it’s the new kid on the block, but it has some pretty powerful features that are unique to it.

How it authenticates payments:

  1. Using your passcode/ password
  2. Using a pattern

At the moment Android Pay does not support finger print identification, that functionality is supposed to be released alongside Android 6.0 Marshmallow.  Until then, Android Pay will accept a passcode, password, or pattern to authenticate a transaction.

To make a purchase, you tap your phone on the payment terminal, enter your passcode, and your payment information is securely communicated to the terminal for payment.  Here is a quick demo from Coca-Cola who will be integrating NFC into it’s vending machines, click here.

Another big advantage for Android Pay is it’s heavy integration with existing merchant rewards programs.  As shown in the Coca-Cola video, your My Coke Rewards account is directly linked to transactions in Android Pay, making the accumulation of points that much easier.

However one of the cons of Android Pay is the requirement for an internet connection.  I say requirement but it’s not required all of the time.  Android Pay stores your information in the cloud so when you make a payment your info is authenticated online.  Now Android Pay does store a limited number of tokens on your device just in case, but that limits the amount of transactions you can perform without an internet connection.  The chances of this becoming a problem for someone is slim to none, but it is a con nonetheless.

Moving onto EMV, what is it?

EMV stands for Europay, MasterCard, and Visa, the three companies which originally created the standard.  EMV cards store their data on an integrated circuit as opposed to a magnetic strip.  However most chip cards are also equipped with a magnetic strip as well.

This is where the terms swiping or dipping come into play.  We all know the classic swipe method, you simply slide your card through the reader and enter your pin or zip code to process a payment.  Well with EMV cards you now “dip” your card into the terminal and you must enter your pin or sign the receipt while the card is still in the reader as seen in the video below:

Each transaction is assigned a unique identification number, so even if a thief manages to steal the transferred information they cannot use it for fraudulent purchases.

When was it released?

Believe it or not the EMV standard was initially written in 1993 and 1994. and implemented shortly thereafter.  In Europe the liability for fraudulent transactions was shifted from banks to merchants in 2005.  As compared to the recent shift in the U.S. on October 1, 2015, so America is finally joining the new millennium of payment security.


Closing Remarks

Well that pretty much sums up NFC and EMV.  Make sure to subscribe to The Weekly Byte to ensure that you are always up to date on the latest tech news.  And always feel free to call me with any questions at 951-263-7336.  This is Greg, over and out.