Welcome to FIMEBLOG

5 things to know about NFC technology and security

It’s estimated that more than 2 billion people today own an NFC-enabled device, and we’re seeing more industries take advantage of the contactless technology. More consumers are using NFC-based mobile wallets for contactless payments, and in the transit space, New York’s MTA and Boston’s MBTA recently announced they would change the way you board a train or bus, allowing phones with NFC capabilities to act as boarding passes.

1. NFC is based on existing standards

NFC is based on existing contactless payment and ticketing standards that are used on a daily basis by millions of people worldwide. These standards determine not only the "contactless" operating environment, such as the physical requirements of the antennas, but also the format of the data to be transferred and the data rates for that transfer. Therefore today’s installed base of contactless readers can accept NFC transactions, too, making the technology appealing.

2. NFC can be deployed for a variety of applications -- not just payments

A multitude of NFC applications can be developed for sharing information, pairing devices, and conducting transactions.

Sharing (reader/writer mode): Service providers can create NFC tags and “smart posters” that can be read instantly by NFC-capable devices. They can contain digital content like coupons, videos/music, advertisements, descriptions, product comparisons, instructions, transit timetables and more.

Pairing (Peer-to-Peer mode): The NFC peer-to-peer (P2P) mode allows two NFC enabled devices to establish a bidirectional connection to exchange contacts, Bluetooth pairing information or any other kind of data. This instant pairing of devices, such as connecting your mobile device to your headset, is much less cumbersome than traditional pairing methods.

Transacting (Card emulation mode): Digital versions of payment cards, identity cards and tickets can be placed in a secure area of the NFC handset (the Secure Element or SE); in this way, NFC devices can transact with contactless card readers the same way as a traditional contactless card.

3. NFC security features will depend on the application

The exchange of contact information in NFC P2P mode doesn’t require the same levels of security as a payment card used in NFC card emulation mode. NFC applications are therefore often described as “sensitive” or “non-sensitive.” Providers of non-sensitive applications such as P2P or tag reading are encouraged to meet basic security requirements and are able to get to market quickly.

Sensitive applications such as payment, banking, ticketing, retail offers, couponing and loyalty require high levels of security. These applications are placed in the secure, tamper-proof area of the NFC handset (the SE) and require more rigorous testing and certification.

4. Testing and certification of NFC devices and applications creates an essential chain of trust and ensures interoperability

Every component of the NFC chain, including handsets, secure elements, services and applications, can be tested and certified to ensure optimal product performance, interoperability, security and usability. The industry is also looking at ways to combine and simplify these processes to get products to market more quickly.

Some applications require additional certifications, for example NFC wallet application will need to be certified to fulfill contactless feature requirements and to follow payment standards. This testing and certification is essential in establishing a fully interoperable infrastructure that allows end-users to successfully, securely and conveniently use NFC applications with a tap of their phone.

5. Creating a successful and secure NFC ecosystem will take cooperation and stakeholder responsibility

For NFC to be a success, new business partners must collectively agree on the operational models and relationships that they will form to bring their NFC solutions to market. Within mobile NFC payments, for example, financial institutions, mobile network operators, service providers, handset manufacturers and technology vendors are just some of the parties working together in ways they never have.

Another critical responsibility of all stakeholders is to take responsibility throughout the whole ecosystem – starting with the foundational technology level and continuing up to the application level – for understanding their liabilities, undertaking a risk assessment, seek clarity on areas of responsibility and investigate ways to confidently and appropriately optimize security.

Want to know more? Get in touch with us!

Return