How would you feel if the next time you’re asked to pay for something, the shop asked you to tap your card to their phone? That’s the idea behind something launching in Australia.
Australians are no stranger to early adoption, and when it came to paying for things with a simple wave of the card, we were quick to make the transition.
A few years after tap and pay was commonplace on our spot on the underside of the world, this journalist recalls taking a trip to America where retailers through it strange we were so ready to wave our card and be done, citing the security of it all. Several years later, everyone’s doing it, and waving your card or using your phone to pay has become one of the obvious ways to pay given that cash is filled with germs, and seems like an obvious relic from the past we could do without in this coronavirus-crossed times.
We’re used to paying using with our card and phones these days, and contactless payments (as they’re called) is the preferable approach, as cashless takes over. However typically when we do it, we’re expecting to see a terminal of some kind, something to alleviate any concerns that you’re still paying at a shop. That might be a standard Eftpos terminal or a small reader the likes of which Square produces, but it’s typically something that looks like it’s made to be paid with. That’s what we’ve come to expect.
Australian-owned Quest Payments has a different approach that looks set to work in Australia shortly: instead of tapping a payment terminal, you tap the back of an Android phone. Called “Airpay TAP”, it’s a concept that bypasses the payment terminal entirely, and essentially asks you to tap the back of a retailer’s phone with your card or phone, allowing the money transfer to take place using very much the same technology, Near Field Communication (NFC).
It’s likely similar to what happens when a transit officer checks your transit card, such as is the case with Opal in Sydney. When that happens, they touch your card to their phone, and it reads your activity. With Quest’s solution, the phone is used as the main terminal to initiate the transfer of money, with the solution having been trialled with NAB in 2019, and recently receiving approvals from Australian payments regulator AusPayNet to be made available locally.
Android has appeared in some solutions in the past, and Commonwealth Bank has released at least one model designed with that in mind, but Quest’s approach appears to be different. Rather, Quest says the technology on all NFC-equipped Android devices, with transactions working like they would on a standard payment terminal: amounts within the contactless limit can be tapped without PIN, but anything over (which in COVID times is the $200 mark in Australia) requires a PIN, and still works with the likes of Apple Pay, Google Pay, and Samsung Pay.
“Quest has gone to great lengths to provide a level of security on par with that of a traditional payment terminal, enabling protection at all points through the transaction process, while also ensuring the mobile device maintains a constant level of integrity,” said Jan Mason, CEO of Quest.
“AusPayNet’s evaluation process is globally renown and respected, and to receive this approval is a strong endorsement of the design and in-built security of Airpay TAP.”
But while the idea may be supported by businesses keen to start accepting mobile payments with just their phone and a dream, it’s not one that will be accepted by all. Take up of the concept may be limited by consumers unwilling to tap their cards to the back of a random phone, despite Quest’s assurances of security.
We’ve all heard the story of someone paying for a cab ride and then losing money, only to find the terminal was hacked, creating headaches for the user and frustration, and you might even know that person. You might be that person. For years, security experts have long been telling people to pay using terminals, not using other means, and it’s one security experts may not be as positive on.
“In my personal opinion of a security researcher, the idea of using a random Android phone will elevate the number of financial thefts and payment fraud,” said Vitaly Kalmyk, Director of the Global Research and Analysis Team for Kaspersky in the Asia Pacific.
“Smartphones have become a convenient tool and a companion to all of us, but we should remember that they are general purpose computers in the first place,” he said. “That said, they can be compromised and used to attack users just like a regular computer.
“When we move payment processing to a smartphone app without any isolation from potential malware running on it, we put everyone at risk of financial theft.”
Convincing people to tap their cards and phones to another’s phone may indeed come with a risk, but Quest’s CEO told Pickr that participants in its pilot seemed undeterred.
“Australians are typically fast adopters of payment technology and are very sophisticated when it comes to contactless payments,” said Mason.
“In developing the solution, a pilot was conducted with NAB which saw no pushback from shoppers when asked to tap their card on the merchants phone,” she said.
“As is the case with all new technology, it comes down to education and we will be working closely with merchants, banks and consumers to explain the benefits and in-built protections of the solution.”
Tapping your card to the back of a stranger’s phone may take some re-education, because not everyone will do it. The handful of people this journalist asked about with this story pushed back every single time, and said they’d feel uncomfortable tapping their card or phone to someone else’s Android phone. Most were technology experts, but not all were, and it’s that level of comfort that may prevent this technology from being adopted and understood.
However, it may not just be like a regular phone, and Quest told Pickr that the solution isn’t just a phone with an app, but rather built to look the part.
“It’s important to remember that Quest will bring this technology to merchants in partnership with an acquirer, for example a bank,” said Mason.
“Banks and financial institutions will look to brand the Point of Sale application with their individual brands so the cardholders know the merchant facility has the backing of a reputable bank that they trust,” she said.
“Furthermore, Quest has designed the solution to appear professional and representative of a traditional terminal to help ease any customer concerns. Once a customer does make a payment they will find that the transaction appears on the statement just like a more traditional payment terminal.”
That design may determine everything, and it’s something Kaspersky’s research director told Pickr that ideas like this can be implemented properly, though pointed to the potential problem of a phone being rooted or jailbroken, a term to indicate it might have been made to be hacked and run services outside of what’s normally allowed.
“It doesn’t mean that it can’t be designed right,” said Kamluk, adding “a dedicated isolated processing unit in hardware capable of encryption and digital signature could be a nice solution. So, as it usually happens, security of new ideas strongly depends on how the ideas are getting implemented.”
He recommended that businesses thinking of jumping into using their phone with the solution to look at a phone with no other extra apps installed, and connected only over a mobile line.
“For advanced users, I can recommend trying GrapheneOS, an Android fork which also allows to maintain integrity of the phone. If I were a merchant, I would use GrapheneOS to run regular integrity checks of the payment terminal,” he said.
As for Airpay TAP, it looks set to be available shortly.