Since you're reading this blog, it's fairly likely you're technically minded and would've heard of contact-less payment cards. These smart-chip enabled cards promise to speed checkout for low value purchases by allowing you to wave your card at a payment terminal and go, but what about high value transactions? Simple, go above the prescribed limit and then you're asked to insert your card into the Chip&PIN terminal (payment terminal with keypad) and enter a PIN to show that you are still in possession of your card. Incidentally, the first time I used my contactless Barclaycard was in a Caffe Nero at London Heathrow airport. I was so amazed at the speed of payment I forgot to collect a receipt for expenses and forgot to get my loyalty card stamped to claim a free coffee.
So we can say contactless is useful for small purchases where it's designed to replace cash, but this only works for a small market segment like quick service restaurants. What about the big multi-lane checkout supermarkets where shoppers fill trolleys with a weekly shop that goes way above the micro-payment limit? Why bother installing contact-less in all those lanes if the terminals would hardly see any use?
Now fast forward a few years to the future when mobiles are equipped with Near Field Communications, essentially allowing your phone to emulate your contact-less credit cards. Again great for low value transactions, but go above the micro-payment limit then how do you insert your phone into a payment terminal to do a Chip&PIN transaction? Will the shop assistant ask you to put your phone away and get your payment card out? Where did the promise of convenience go?
Why not enter your PIN on the phone? After all you're bringing your own keypad and screen to the transaction. Not so fast! Your embedded smart card, SIM card or secure MicroSD card that store your payment application don't have a direct connection to the mobile's keypad. How do you stop malware on your nice open handset that can run ANY application from intercepting your password and using it to generate payments for things you don't want? There needs to be some security that securely tunnels the phone's keypad to your embedded payment chip and that's where ARM TrustZone comes in. In an upcoming blog, I'll describe TrustZone in more detail.
Below is my interview with Qualcomm from last year's Mobile World Congress where we discussed their secure payment demo with TrustZone.
Have you tried contact-less payments? Did I miss anything from your nirvana for mobile payments?