How Samsung Pay works in India, a country with 2FA?
Samsung Pay launched in India on 23rd March, 2017. Samsung must be hoping for a first mover advantage, seeing how India hasn’t been tapped by Android Pay or Apple Pay? Why is this so? Mandatory 3DSecure / Two Factor Authentication (2FA).
Because of 3DSecure, tokenising the card isn’t enough. Even if you have the card saved/tokenised in some form, the customer will still need to enter either OTP or a password called MasterCard SecureCode or Verified By Visa, depending on the card network. This makes the payment process not so seamless on phone. The process would have been:
- Take out your phone
- Unlock the phone
- Open the payment app
- Authenticate yourself to the app
- Enter 3DSecure
- Payment is complete
Keep in mind that in this process, the 3DSecure step will take the maximum amount of time. Also, it won’t work at all with POS machines since they do not support a flow like this even in the newer ones which have NFC. So even if there was support for 3DSecure somehow, it wouldn’t be seamless enough.
Compare this with physical card payment:
- Take out your card
- Swipe it
- Enter PIN
- Payment is complete
In order to compete with this flow, you need to have as seamless a payment flow as possible. What’s the best possible flow?
- Take out your phone
- Authenticate using fingerprint
- Payment is complete
Essentially, we have reduced the hurdles by:
- Making it easy to unlock the phone through fingerprint (All modern phones have this)
- Not needing to open the app (Apple Pay has this)
- No 3DSecure needed
While first two methods are possible irrespective of which country you are in, the 3rd one is needed in countries like India. Samsung Pay shines in this regard because they removed the requirement for it. And hence they are also the first to launch such payments in India. But how did they do this?
Samsung Pay’s Payment Flow
Samsung says it tied up with Visa, MasterCard and a bunch of card issuing banks like Axis Bank, HDFC Bank, ICICI Bank, SBI, and Standard Chartered. Before we get into the details, let’s look at Samsung’s payment flow:
In steps:
- Take out your phone
- Swipe up
- Authenticate using fingerprint
- Payment complete
Apple Pay doesn’t require step 2, the swipe up part. But this flow is still very seamless. The key point to note is that there’s no need to enter PIN, like you need in physical card payments, or need to enter 3DSecure like in online transactions. Woah! This is only possible if the bank that issued the card allows it, since PIN and 3DSecure validation is done by the issuing bank. This is where the list of banks becomes relevant: Axis Bank, HDFC Bank, ICICI Bank, SBI, and Standard Chartered.
But what about the regulation?
Regulations and legality around Samsung Pay
Here’s something from Livemint’s article on Samsung Pay:
For a service like Samsung Pay, you need to have regulatory approvals.
Samsung, as a provider of the technology platform, does not need any approval. The issuers and payment gateways got the required approvals from Reserve Bank of India (RBI). The regulator works with them, not us. Some of the banks and payment gateways have launched Samsung Pay in other countries as well so they were familiar with the regulatory requirements such as the tech standards and the use cases.
— source: Livemint
This doesn’t quite seem right. RBI isn’t known for giving out special permissions. But RBI does allow payments through contactless cards which work on NFC. NFC works on the EMV standard which allows for PIN less transactions in the standard itself. There are a bunch of banks offering it too. Examples: ICICI Visa & ICICI MasterCard. But RBI has only allowed PIN less transactions for a max value of Rs 2,000. Here’s the flow for NFC based contactless payment:
Here’s the relevant RBI notification allowing NFC payments as well as announcing a limit of Rs 2,000: link. However, there’s no mention of this Rs 2,000 limit anywhere on Samsung Pay’s India website. Since Samsung Pay is a contactless payment system, they should be subject to the same guidelines as NFC payments. It’s very well possible that there’s a limit but it’s just not been mentioned anywhere. But there’s even more which makes this a funny business.
Samsung’s workaround against NFC: MST
NFC payments have very low acceptance across the world, primarily because the older POS terminals don’t support it. The newer ones that do haven’t yet reached a critical number to matter. But Samsung worked its way around this too! Samsung Pay states that it uses NFC and MST as the communication modes.
What is MST? Magnetic Secure Transmission. Samsung acquired a company called LoopPay in early 2015. Apparently they paid around $250 million for it. What makes LoopPay special is that it mimics a physical card payment which works via swiping the card in the POS machine. When you swipe a card, the magnetic stripe at the back generates a signal. MST basically produces the same signal, making the POS device feel like there’s a card present.
LoopPay initially launched as a physical device which had a magnetic coil that would transmit the exact same magnetic signal that a swipe sends to the POS terminal. Here’s an article by Business Insider explaining all of this: link. Essentially, LoopPay makes it possible for a mobile phone that has its tech embedded to work exactly like a physical card swipe. So lack of NFC terminals in the market is no longer a challenge for Samsung!
MST and 2FA/3DSecure
Alright, so we all agree that MST is basically the same card swipe kind of transaction. But didn’t all of those transactions require you to enter PIN? And this is irrespective of whether the transaction amount is greater or lesser than Rs 2,000. So how is Samsung able to get it to work? Again, can we please have the list of banks here: Axis Bank, HDFC Bank, ICICI Bank, SBI, and Standard Chartered. Samsung individually tied up with each of these banks to somehow allow normal card present transactions to go through without any PIN being required. Hence, Samsung needs to work with each bank that it wants to support.
But all of this doesn’t mean that Samsung Pay’s flow doesn’t follow RBI’s guidelines on mandatory additional factor authentication. Your phone forms the first factor and the fingerprint authentication forms the second factor authentication.
Is MST legal?
Essentially MST should lie in the same domain as NFC: contactless payments. However RBI’s notification specifically states the following:
The contactless cards should necessarily be chip cards adhering to EMV payment standard, so as to be acceptable across the existing card acceptance infrastructure which are EMV compliant based on the earlier mandate in this regard.
EMV standard is basically the chip based payments system. Simplest way to identify is that the card is dipped in case of chip based payment instead of being swiped. MST does not follow EMV standards. It mimics the swipe based system. There’s no RBI notification around MST and it’s highly unlikely that they would have specifically allowed Samsung to use something like this. So MST technically lies in the grey area by this line of thinking.
The other line of thinking is that Samsung Pay does follow the 2FA requirement by having presence of device and fingerprint as the two authentication schemes. Hence MST may lie in the same domain as card present and swipe transaction model. Instead of the card PIN being used as the 2FA, it’s the fingerprint. Under this logic, Samsung Pay is in the white.
For more details on EMV vs magnetic stripe: Blog by Square
Is MST secure?
MST is the key ingredient in making Samsung Pay accepted more widely. However, does it come at a cost? Looks like. MST essentially emits a magnetic signal which is identical to the signal produced by swiping the card. However, it does this at a close proximity and without the actual swipe. The signal is apparently strong enough to be picked up by a rogue device even 2 meters away. By capturing the signal, you basically capture the token that can then be reused at any other POS terminal, even miles away from the actual payment location. The token is also transmitted multiple times by the device in order to make sure the transaction goes through. This gives the attacker multiple opportunities to capture the token. More details are available in this research paper: link
Samsung keeps claiming that Samsung Pay is “secure” even though it has done both, denied and accepted the vulnerabilities in their statements before.
To be fair, similar attacks are possible even on NFC based payments. In fact, they have been proven by security researchers. Card skimming attacks were possible even on magnetic stripes. However, there’s certainly an argument to be made that since NFC/MST depend on wireless transmission of data, they could be more prone to skimming.
Overall
The payment flow is super neat and is almost exactly how it should be for contactless payments. Samsung should do away with the requirement of having to swipe up on lock screen to make it as smooth as Apple Pay but this is a very small thing. Keeping aside the legal hurdles, which may or may not even be present, this is a step in the right direction.
What is sad, though, is that this is restricted to Samsung devices since they own LoopPay which has patented MST. NFC in itself is pretty far from wide scale acceptance. So even if RBI allows a non PIN based flow in general, NFC will be the limiting step, making the entry of things like Android Pay quite some time later in the future. And I ain’t exchanging my Google Pixel for a Samsung S7 ¯\_(ツ)_/¯
Thanks Harshil Mathur, Shashank Kumar and Abhay Rana (Nemo) for their inputs on this article.
