You’ve decided to buy a new pair of shoes, and you’re going to pay for them by tapping your smartphone against the checkout stand. It’s just like using your credit card — except that it isn’t. Here’s what’s really happening to the money on your phone, when you spend it and when you are just carrying it around.
So back to those shoes. You’ve got them up at the counter, and you take out your phone to tap it. At the moment the transaction occurs, your phone is using NFC, or Near Field Communication, to network with the checkout stand.
Your phone has an NFC chip that uses a very small electromagnetic field to send your credit card information to an NFC chip in the checkout’s reader. It only works over a distance of a few centimeters, so you have to hold your phone very close. Once your payment information is transmitted, the process works the same as if you’d just swiped a plastic credit card.
During that suspenseful second or two before the register says “approved,” and the clerk hands you your receipt, a lot is going on. The checkout terminal sends your data to the acquiring bank, which is the bank that processes credit card transactions for the store. It’s called the “acquiring” bank, or just the “acquirer.”
The acquirer sends a request to the bank that issued your credit card, asking for authorization; essentially, the acquirer makes sure that your account is valid and has enough money available to pay for the shoes. Your card issuer — probably your bank if you’re a Visa or MasterCard holder; if you use Discover or American Express, the credit card company is also your card issuer — sends an authorization code to the acquirer, and the acquirer tells the merchant to go ahead and sell you the shoes.
You walk out of the store with your new shoes, but the money you just spent hasn’t really changed hands yet. Your transaction is saved along with every other sale the store makes during the day, and that evening, the store sends all of those transactions to its acquirer in a batch.
The next day, while you’re breaking in your new shoes, the store’s acquirer sends this batch of transactions through the card network — that’s the brand on your credit card, usually Visa, MasterCard, American Express, or Discover in the U.S. Then the card network sends your transaction along to your bank, which pulls the money from your account and sends it back through the card network to the acquirer, who pays the store for your shoes. That’s why your purchases sometimes take a day or two to actually come out of your account, or why they sometimes show as “pending” for a few days.
That process is the same whether you pay by swiping a magnetic stripe card, tapping an EMV chip card, or tapping your smartphone. But what’s going on inside your phone when you set it up to use Google Wallet, Apple Pay, or other e-wallet apps?
Here’s where it gets a tiny bit more complicated, because there are different ways to store your account information for NFC payments, and every mobile wallet seems to have a slightly different approach. Some protect your credit card information by storing your it in a secure piece of hardware on the phone. Others store your card information in the cloud, then send an encrypted version of that information to your phone as a payment “token.” Still others combine the first two, storing your card information on secure hardware and making sure the checkout terminal only ever sees the tokens, not the real card number.
Let’s take a look at how some of the major mobile wallets actually work.
If you have an iPhone 6, a Samsung Galaxy S6, or one of a handful of older smartphones, your phone contains a chip called an embedded secure element, which stores your credit card information. When you tap your phone at the checkout terminal, the embedded secure element sends your card information to the checkout through your phone’s NFC chip. This is how Apple Pay and Samsung Pay store your card information - sort of. It’s actually a bit more complicated.
When you sign up for Apple Pay, your real credit card number isn’t stored in the secure element on your iPhone; it’s stored in the cloud. Your credit card network, working with Apple, issues tokens, which are stand-ins for you real card number, and stores them in your phone’s embedded secure element.
These tokens look like regular credit card numbers, but they only work on your personal iPhone, so a criminal can’t steal an Apple Pay token and use it online. It’s impossible to decipher your real card number from the tokens, either. So the idea behind tokenization is that even if criminals manage to steal your tokens, they aren’t worth much.
Samsung Pay uses a slightly different process to create its tokens, and they’ll usually only work a single time. Samsung’s tokens are also stored in an embedded secure element, or in the phone’s memory in a secure area called the trusted execution environment.
So, getting back to your shoe purchase: When you tap your iPhone or Galaxy S6 to buy those shoes, your phone uses the token and your transaction information to create a “token cryptogram” which gets sent on through the acquirer to your card network, which can trace the token back to your real card number (this is called “re-mapping”), and then sends the transaction information on to your bank. The store and its acquirer never see your real card number.
To get your bank card into those mobile wallets, your bank has to sign a deal with Samsung or Apple, and it costs money. When you use your credit card, the store pays a small “interchange fee” to the bank that issued your card. If your bank wants in on Apple Pay or Samsung Pay, it has to give Apple or Samsung part of its interchange fees in return.
Phone manufacturers can also rent space on embedded secure elements to banks who want to launch their own mobile wallets for their customers. That means a bank may be renting a small piece of your phone, even if you’re not using a mobile payment system.
Google Wallet works a bit differently. You can add a credit card to Google Wallet, or link your bank account to the service, and Google stores that account information in its servers; it works a bit like adding a card or bank account to a PayPal account.
Your card information isn’t stored on your Android phone. Instead, Google creates a virtual credit card, called Google Wallet Virtual Card, which essentially acts as a token for your real account information. The virtual card number changes for every transaction — it’s a form of security just like Samsung Pay’s singe-use tokens. By changing the number for each transaction, Google Wallet prevents your token from being stolen and re-used.
Instead of a secure element, Google Wallet uses a technology called host-card emulation, which uses software to accomplish the same tasks as the hardware in a secure element.
Apple didn’t invent NFC payments; they’ve been around for several years. The basic idea is to store your card information on a chip that uses NFC to send the information to the checkout terminal when you tap to pay. One way to do this is by storing your information on a SIM card with an NFC chip, which you would get from your mobile phone company. For example, if you’re an AT&T, T-Mobile, or Verizon customer in the U.S., you may remember Softcard (formerly Isis, until they changed their name to avoid awkward mix-ups in light of current events), which used NFC SIM cards to store card information for its mobile wallet application. If you live in Europe, you may have seen your mobile phone company try a similar approach.
If your mobile phone company decides to launch its own version of a mobile wallet, it’s probably going to use NFC SIMs, because that approach gives the phone company complete control over the mobile wallet. If you want to sign up, you’ll go to your mobile provider’s nearest retail store and ask for a SIM card. They may give it to you for free, like Softcard did, or they may charge you a small fee. Then you’ll download the mobile wallet app from your app store and add your card to the mobile wallet – if your bank is supported.
If a bank wants to let its customer store card information on a phone company’s SIM, the bank will have to pay the phone company a fee to rent space on the SIM card. The bank and the mobile phone company also have to hire another company, called a trusted service manager, to handle some security services; usually, each party hires its own trusted service manager, and then they all have to coordinate. SIM-based NFC payments haven’t been very popular in the U.S. so far, though Google Wallet bought out Softcard earlier this year.
The important thing to keep in mind as you make your mobile wallet payments is that these are applications that allow more players to own more pieces of the hardware on your phone. It also means that your mobile provider is now entering into a partnership with your bank, either directly or indirectly.
While buying those shoes with your mobile wallet, you weren’t just using an emerging technology. You were helping to foster the emergence of a new set of corporate partnerships, which could affect how you bank as much as it does the chips on your phone.