NFC Mobile Payment Explanation

Question

I know what NFC is and have done quite studies concerning NFC Mobile Payment ( that is bringing the phone close to the reader to make payment like Google wallet). My problem now is what happens between the reader and the Credit card companies or the Banks that issued the Debit card the buyer is using. Another issue am struggling with, is the medium on which data is exchanged between the reader and Card companies or banks.

My questions are ::

1) When a user brings the phone to the reader to make a payment what goes on between the reader and the Banks OR Credit card systems. W Does the reader contact the Credit card/banking system for verification?

2) On which medium does the reader contact the Credit card companies or the banks for authentication and checks if there is enough balance to make the purchase? Does the reader send those information via internet?

3) In the case of train tickets how does the reader knows that the ticket is valid? Does it also contact a back-end system? And if so on which medium? Via internet or what?

I have googled the whole day for these answers but all the articles i get are too vague. They don't talk anything about what goes on between the Payment reader and the Banks or credit card companies.

I will be happy if someone can give me a detail description or point me to a tutorial or another Q&A which answered these questions.

Thank you.

Answer 1

• During a payment there are four "parties". The bank, acquirer, merchant and the payment organisation (like Visa or MasterCard). During the payment, the merchant accepts your payment with a POS. (Point Of Sale, the hardware with the reader that accepts your payment) The communication goes through the acquirer, then through the infrastructure of the payment organisation (Visa...) to your bank. The role of the organisation is routing this information and transferring money. There's a LOT of crytography involved at every step.

• The credit card can (but doesnt have to) ask the bank for authentication and/or authorization. Some cards can hold their balance inside the chip (its secure, there is no physical way to acces or modify that data in the wrong way, and offline authorisation is faster), others will ask the bank for balance. The decision about asking the bank for balance can be made basing on many variables, like the amout that is being paid. Same goes for authentication. Sometimes the PIN will be required, sometimes it wont, and it can be verified by both the card (offline PIN control) and the bank (online PIN control). Depending on the agreements between the bank and the payment organisation, sometimes, when the bank is unreachable (a failure on their side), the organisation can authorize some transactions in its name.

• The last question has no single answer, even as generic as the ones i provided for the first two. Its totally dependant on the implementation. Id bet You could think of at least three solutions by yourself.

The problem that interests you was poked earlier: https://stackoverflow.com/a/12320799/1624636

A bit of googling allowed me to find this: http://www.firstdata.com/downloads/thought-leadership/payments101wp.pdf You might find it helpful

You probably want to get familiar with the EMV standard. Check out: http://www.emvco.com/best_practices.aspx?id=217 Let me warn You tho - its quite a big read!