NFC Mobile Payment Architecture - Second Option
B. Second Architecture Option
In the Second option Credit Card companies have a less
important role. There is another player, Trusted Third Party
service, which makes the architecture more secure and global,
but also more complex. This might lead to the increase of
transaction fees. Focus in this particular architecture is exactly
on the Independent Trusted Third Party that has the role of the
neutral trusted service. There are two possible solutions
regarding the party that performs this role:
- Mobile Network Operator
- Independent Trusted Service Manager (TSM)
In this architecture Mobile Device manufacturer also
embeds the NFC chip and the antenna into the device, while
the Secure Element (SE) is stored into SIM/UICC card
provided by MNO. NFC Payment Application (MIDlet) is to
be provided by third party trusted service, including download
and life cycle. There are companies trying to get into the
market as the independent Trusted Third party, such as
Venyon or Gemalto. Each of these two options has its
advantages. This means there are two options under this
option, but the architecture stays the same with minor changes
regarding who is in charge of payment processing, application
downloads (if such an option is provided) and management of
the payment application life cycle. Interface INT2 of second
case architecture is used for Mobile Device to obtain payment
information from Merchants POS. In this case
and POS Terminal are communicating using LLCP (Logical
Link Control Protocol), proposed by NFC forum for P2P communication mode.
Basic design with all the defined interfaces is shown on the
Figure 2. Within this architecture a few roles are not final,
mostly because a lot depends on the exact party that performs
the role of the Trusted Third party. The shaded area represents
the architecture alternative where MNO is assigned the role of
Trusted Third party. Ideal case will be analysed here, and
possibilities will be explained through the payment process
description. Roles of individual interfaces will be further
elaborated at the end of the process analysis. Typical payment
process would consist of following steps:
- NFC equipped Mobile Device owner gets presented
with the amount to be paid to the Merchant. User has
to turn on the NFC application on the Mobile Device
in order to start with the payment.
- Once the application is started, MIDlet activates the
NFC chip. Communication with the terminal enables
Customers Mobile Device to get the relevant
information, such as details about merchant,
including his merchant ID, and payment information
including the amount.
- When the application has all the important data to
process the payment, user has to prove the identity
(authentication process). The most basic security
procedure requires only the PIN number (Personal
Identification Number), but this might not be enough.
Biometric confirmation, such as fingerprint scan,
should also be performed if users device is d
to perform this kind of authentication. Three applets
are stored on SE, used for Customer authentication.
MIDlet is used as a proxy between SE and Trusted
Third parties Server, whereas the communication
between MIDlet and the server uses SSL (Secure
Sockets Layer) protocol.
- At this point the Mobile Device sends the data,
including the amount to be paid, to the Trusted Third
party by INT3 using the MNO data transfer network.
In this architectural design the application on the
users Mobile Device is to be provided by the third
party, including download and the life cycle.
Besides all the mentioned data and payment amount,
users unique application account and credit card
information are being sent to Trusted Third party.
Along with all this, Request for Authorization is also
being sent to the third party’s processor network.
- Third party does the relevant checks, and forwards the
request for payment to Credit Card company using
INT8, which sends it to Customers Bank via INT4 in
order to check whether Customer has sufficient funds
on the account. Third party and the Customers Bank
should also have a previously established agreement
(INT9) for security reasons, somewhat like the one
Credit Card companies have.
- Upon receiving and authorizing the request Bank
checks the available funds on users account and
“holds” the required amount, deducting it from the
available funds of the users account. Confirmation is
then being sent to Credit Card company’s server via
INT4, and then to Trusted Third party via INT8.
- Using INT3, third party sends the payment
confirmation to the users Mobile Device, and the
“Payment Successful” message appears on the
screen. Funds have still not been transferred to the
merchant’s business bank account at this point, but
they have been temporarily removed from users
- Merchant’s terminal is still waiting for the payment
status. There are two ways of realizing this step:
either users device can send the confirmation using
NFC by INT2 establishing another connection, or the
confirmation can come directly from certified third
party by INT5. This depends on the final architecture
design, mostly regarding the policy of Trusted Third
party. Both ways have advantages. While it might be
more secure to get the response from the third trusted
party, it would require additional communication
between the terminal and the third party’s server,
which is not necessary in the other case.
- At the end of the business day, the merchant sends a
request to the Trusted Third party via INT5, which is
being forwarded to Credit Card company in order to
secure the authorized funds from all the NFC
transactions conducted through out the day.
- The total amount of all the NFC payment transactions,
minus any processing fees, is then deposited into the
merchant's business bank account.
Mobile Network Operators could take the role of the
Trusted Third party. Then the entire area shaded by light blue
colour on Figure 2 and the connecting interfaces would be the
responsibility of network operator. This way INT1 and INT3
would represent the same process. This solution has some
advantages, because majority of smart phone users already
have some sort of post paid account with a particular MNO,
and the odds are their mobile account is connected to their
This way the role of MNO would be handling all the
described processes that Trusted Third party is in charge in,
which is all together a rather complex process.
Each MNO would even need to take over many
responsibilities that are currently on Credit Card companies.
Even though this solution might seem more convenient to
users, for they would be having a single party providing both,
mobile telephony services and credit card functions and
transaction fees would be cheaper, the transition process
regarding necessary changes on MNO side might take very
long if this architecture is to be announced the official NFC
mobile payment solution.