Visa and MasterCard in the mobile space

We are clearly in the smart cards era. From set top boxes to access control systems, passports to -of course- payment systems run on these little security tokens. There are thousands of smart cards applications running on smart cards worldwide ranging in these business fields.

When it comes to payment systems, Visa and MasterCard are the strongest influencers and the rule setters. Visa and MasterCard started EMVCo in 1994 when smart cards were ready to run payment applications. EMVCo released first payment application standards in late 90’s which led Visa and MasterCard to develop their own payment applications based on EMV.

Visa’s application is called VSDC (Visa Smart Debit Credit) and MasterCard’s application is called M/Chip. They are quite similar but have many configuration differences in terms of bank’s parameter management on the application.

Naturally, it started with contact versions. It was primitive, when compared with the current versions, but far more advanced for their magstripe ages. Banks did not even use the offline PIN feature simply because the market was not ready at the time. UK was the first country to migrate to use the offline PIN -which they called Chip&PIN -after a critical mass has been reached. Turkey was the second national migration to PIN usage. (I was personally part of it)

What EMV provided is basically a security layer to existing infrastructure and offline capabilities like offline PIN verification, offline data authentication and offline payment. It came with many updates; cards have changed, terminals have changed and of course back office systems have changed.

Then hardware (chips) evolved into contactless space. Both Visa and MasterCard developed dual interface (or a.k.a contactless) versions of their applications. MasterCard was faster, they released a stable application years before Visa and named it PayPass. US was the first country to implement PayPass.

In the mean time, US never had left the old magnetic stripe cards. As a result, US had hybrid cards; a contactless only chip with magnetic stripe. US version of contactless applications work only online, while EMV versions can work both online and offline. US version has only one security enhancement over contact magstripe — a dynamic CVV code.

Visa released the application later under the name of payWave.

The basic difference between Visa and MasterCard’s contactless applications is that MasterCard uses the standard EMV flow while Visa uses a shortcut bypassing many EMV steps. It is arguable which one is better, but my personal taste is with MasterCard.

When it comes to mobile, MasterCard is still ahead of Visa. They have a working Mobile PayPass application for a while. That’s why current NFC pilot programmes run MasterCard. Visa is now ready to kickstart a mobile version of payWave -which is called Visa Mobile Payment Application, VMPA.

So, what is new in the mobile versions? First, now there is a user interface for the application from the mobile device on which the cardholder can activate the application, change PIN, view transactions, etc. Mobile versions have the capability to be managed over the mobile network operator’s (MNO) OTA (over the air) channel. OTA is also the personalization interface of the application. Banks are now able to communicate with the application anytime they need to. (Of course not that much easy as it sounds)

Since the applications run on SIM cards (or the secure elements, as per popular phrase) now banks have a mandatory partner on their customer; the MNOs. Personalization and the life cycle script management runs over the MNO’s OTA infrastructure. Also issuing a new card process is a brand new one. MNO is highly involved in any step during the life of a mobile payment application.

SIM is owned and controlled by the MNOs so banks are now forced to share the SIM with competing banks. MNOs create and rent the mobile wallet to banks and other service providers.

Also, application version control is now handled by MNOs. Visa and MasterCard now have another customer; the MNOs.

This is a brief history of Visa and MasterCard’s smart card applications from contact to mobile. We will see how this will evolve even more interesting. And I believe it will not take more time than it did before.