Explained: How NFC and MST contactless payments work
Contactless payment systems: it seems there’s always a new service out there. There’s Android Pay (transitioned from “Google Wallet”), Apple Pay, Samsung Pay, Walmart Pay — everything pay! Until Pebble died, there was a Kickstarter campaign to add NFC capabilities to Pebble watches and it was supported by over 2,700 Kickstarter backers. It’s pretty evident: people want the ability to use NFC contactless payment systems.
NFC/Contactless Payment Systems
There are many uses for Near Field Communications (NFC), but for the purpose of this article, all mentions of NFC are strictly pertaining to contactless payment systems that use the NFC chip on your mobile device.
If you include Mobil Speedpass, contactless payment systems have been around since about 1997. MasterCard started their PayPass system in 2011. Also in 2011, Google started Google Wallet, which in 2015 transitioned into Android Pay. SoftCard launched in 2011/2012 and is now owned by Alphabet, Inc. Apple Pay started in 2014, and Samsung Pay made its debut in 2015.
In a nutshell, NFC systems allow you to enable the payment system on your phone or wearable, and then tap the payment terminal at checkout to pay.
When I started using Google Wallet in 2011, there were only four businesses in my small town that accepted NFC payment systems. Now six years later, there are at least twelve, including an independent coffee shop on Main Street. There are over 25 businesses within an hour’s drive from me that use NFC, and the list continues to grow.
The beauty of NFC is that for the merchant, all they need is an NFC terminal and they can accept all NFC (Android Pay, Apple Pay, Samsung Pay, etc.) systems. Whether or not your bank supports a specific payment system, that’s a different story. There are some banks that currently support one payment system, but not the others. This has to do with agreements with the payment service and the technical logistics of making everything work with their systems.
Okay, so NFC is great, but it only works at merchants that accept NFC payments. What if they don’t accept NFC?
Two guys, Will Graylin and George Wallner, wanted to bring contactless payment systems to everyone. So, in 2012 they founded LoopPay. LoopPay used a technology called Magnetic Secure Transmission (MST). It stored your credit card info and used MST to transmit that to the payment terminal, simulating a card swipe. MST works at about 90% of the card readers out there. However, it does not work at readers that require you to dip your card into a slot, like at an ATM or gas pump. It also has difficulty at readers that are embedded in the machine, like at Redbox. I’ve been using LoopPay since 2014, and it’s always fun to get reactions from cashiers after they tell you, “That’s not going to work here.” LoopPay was purchased by Samsung in 2015 and Will Graylin and George Wallner had to change their dream of contactless payments for everyone to just contactless payments for those that own Samsung devices.
There have been many changes to the way MST works since the days of LoopPay. LoopPay was transmitting your actual credit card information to the card reader. As far as I know, there were no agreements with LoopPay and banks (LoopPay did receive backing from VISA). After Samsung purchased LoopPay more security measures were put into place. Samsung Pay is not 100% secure, but it’s more secure than LoopPay and more secure than using your actual credit/debit card.
Banks only allow cards with the EMV chip. When I tried adding a non-EMV card to Samsung Pay, it failed. The same held true when I tried adding the card to Android Pay. After I added my EMV card, I had to call my bank to complete the authentication process, which included answering a number of security questions my bank asked me. I actually had to speak to a person and not an automated system. This was not the case when I used LoopPay or Google Wallet, prior to the implementation of EMV cards. Obviously, banks are taking mobile payment security seriously.
Samsung Pay uses tokenization for both MST and NFC transactions. Tokenization involves coding your account information so that your actual account details are not transmitted. The token is sent to the terminal and then authenticated by your financial partner. The information being sent is not your actual account information. This means that if you use a service such as Redbox, where you registered your credit card online, reserved a product online, but then have to use the registered credit card to retrieve the product, MST will not work because it’s not transmitting your actual account number to the kiosk.
[EDIT 03/29/17: I just wanted to clarify that all NFC systems and Samsung Pay MST use tokenization for security. Because of the tokenization, NFC and MST will work with credit/debit cards with the EMV chip and POS terminals that read the EMV chip.]
NFC systems require you to enter a PIN or use your fingerprint in order to unlock the payment app. On some smartwatches, such as the Samsung Gear S3, if the watch is removed from your wrist, it locks and you will need to enter a PIN to unlock the watch.
Samsung Pay (MST) works on the following devices (US only):
- Samsung Galaxy S6
- Samsung Galaxy S7
- Samsung Galaxy Note 5
- Samsung Galaxy Note 7 (discontinued)
- Samsung Gear S3
Samsung has also announced that Samsung Pay will be available on mid-range smartphones.
I have had some difficulty conducting an MST transaction at some merchants. I feel this is mainly because I used a debit card versus using an actual credit card. Also, some merchants are trying to block alternative payment systems from being used in their stores.
It might be really cool to use NFC/MST (it still freaks out cashiers), but it’s not going to take over the way we make payments. To use NFC, the merchant would have to update their equipment to be able to accept the NFC technology. People still physically carry credit/debit cards. There’s no compelling reason for a merchant to spend the money necessary to upgrade their equipment.
MST is a patented technology owned by Samsung. Not everyone carries a device manufactured by Samsung. Since I started using LoopPay/Samsung Pay, I’ve paid closer attention to payment terminals at businesses I frequent and I’ve noticed that many food services still use a card reader that’s physically connected to the POS terminal. Often these POS terminals are behind the bar or in another area not accessible to the customer. I’m not about to hand over my phone or smartwatch to the server so they can go run the payment through the system.
According to Apple Pay’s website, there are only about 100 participating merchants. There are more merchants that are not participating than there are participating. It looks like it will be awhile before there’s widespread participation and acceptance of contactless payment systems.