The Canadian Bankers Association (CBA) has published the Canadian NFC Mobile Payments Reference Model (the Reference Model) outlining voluntary guidelines for the development of near field communications (NFC) mobile payment capabilities in Canada. The Reference Model affects a wide range of participants in the Canadian mobile payment ecosystem, including mobile service providers, mobile device producers, application developers, credential issuers, acquirors, merchants and consumers. The guidelines in the Reference Model were developed and have been adopted by major Canadian banks and credit unions. For the rest of the industry, adherence is optional.
The Reference Model, released on May 14, 2012, was prepared in response to a request from the federal government’s Task Force for the Payments System Review that financial institutions develop mobile payment standards. Standards in the following topics were developed with the goal of ensuring safety, security and ease of use for merchants and consumers while allowing for innovation and competition among market participants:
- Canadian mobile payments solution framework
- NFC mobile payment ecosystem overview
- Wallet features and functionality
- Enablement and lifecycle management
- Loyalty and rewards
- Data and security
The full text of the Reference Model is available on the CBA website at http://www.cba.ca/contents/files/misc/msc_20120514_mobile_en.pdf.
Overview of the Reference Model
The Reference Model is limited to the payment model in which payment card credentials are stored on a SIM card or embedded in the secure element of a smartphone, and payment is effected by a user selecting a payment method from the "mobile wallet" stored on the smartphone and tapping the smartphone on an NFC-enabled point-of-sale device. This payment model is presently being rolled out by Canadian financial institutions and mobile network operators.
Canadian Mobile Payments Solution Framework
MasterCard, Visa and Interac have each developed a set of specifications for NFC transactions requiring mobile devices to support the EMV mode and the MSD mode. Consistent with those specifications, the Reference Model supports both EMV and MSD technologies.
In addition, the Reference Model has adopted elements from various other guidelines and regimes, including SEPA, GSMA/EPC, EMVCo, GlobalPlatform, PayEz and AFSCM.
NFC Mobile Payment Ecosystem Overview
NFC purchases are transacted over radio frequencies, which require both specialized hardware and specialized software. There is some discussion of hardware in the Reference Model, but the focus is on the software required.
The Reference Model envisions a mobile payment ecosystem predicated on the interoperability of components. NFC mobile devices will be able to operate with different point-of-sale systems; different credential issuers will be able to operate on different NFC mobile devices; any NFC contactless reader compliant to ISO 14443 Type A or ISO 14443 Type B will be able to communicate with any NFC mobile device; and any over-the-air platform will be able to communicate with any credential issuer.
Wallet Features and Functionality
The Reference Model describes three types of mobile wallets.
A proprietary wallet is designed so that only payment credentials from the wallet provider may be used to make a payment.
A collective wallet is designed by a group of credential issuers so that only payment credentials from that group may be used to make a payment.
An open wallet is designed so that payment credentials from multiple credential issuers can be used to make payments. It should be noted that open wallets still require agreements and business relationships between credential issuers and wallet providers.
The Reference Model acknowledges that the industry will gravitate toward proprietary and collective wallets, but adoptees of the Reference Model expect to migrate toward open wallets with 18 months of the first open wallet being launched in Canada. In order to promote this openness, the Reference Model does not allow mobile wallets, mobile network operators, original equipment manufacturers, secure domain managers and credential issuers to restrict access to payment applications from debit and credit payment networks, prepaid products, transit and loyalty products, and products issued in a foreign currency. The Reference Model emphasizes consumer choice for which payment types may be embedded on a smartphone and for whether use will be pass code protected.
Enablement and Lifecycle Management
The Reference Model outlines the installation, use, maintenance and termination of payment and wallet applications in some detail. It emphasizes the importance of sound contractual business relationships among the various participants in the mobile payment ecosystem.
One interesting possibility mentioned in the Reference Model is the creation of a central hub organization or central controlling authority to manage those relationships. Little detail is provided regarding who that organization would be or what it would look like, but it can be assumed that this concept is distinct from the self-regulatory organization proposed by the Task Force for the Payments System Review.
Loyalty and Rewards
The Reference Model provides guidelines for the way that loyalty and rewards programs will run through the mobile payments system. The essential aspect is that loyalty program information may reside on the SIM card or be embedded in the secure section of a smartphone, thus forming part of the mobile wallet. The Reference Model also discusses how loyalty and rewards programs, couponing rebates and vouchers will operate, whether operated by merchants, issuers or other ecosystem participants.
The Reference Model recognizes that loyalty and rewards programs are rapidly evolving. As merchants and application developers seek to employ mobile payment systems to implement these programs, they must be mindful to follow the standards set out in the Reference Model, including the use of ISO/IEC 14443 for the transmission of loyalty and rewards data using NFC.
Data and Security
The general principle that underlies the guidelines in the Reference Model is that each ecosystem participant should have access to only the minimum information required to perform its primary role. It is not clear who would have access to consumer purchasing information that would be of interest to merchants. The Reference Model sets out data and security guidelines and standards in some detail and adopts PCI-DSS compliance as the standard for data protection.
The data and security standards may have significant implications for the development and use of wallet and payment apps in Canada, as the Reference Model allows information about transactions, loyalty programs and consumers to be used only in certain ways.
The Department of Finance has indicated its intention to adapt the current voluntary Code of Conduct for the Credit and Debit Card Industry in Canada (the Code) for the quickly evolving mobile payment ecosystem. While many of the guidelines in the Reference Model will be relevant for this exercise, the Code amendments would need to anticipate all forms of emerging mobile payment technology, including some that are not covered in the Reference Model, such as the storing of payment credentials on micro SD memory cards and the use of cloud-based mobile payments, where credentials are stored on a server and accessed by Internet.
Although the Reference Model binds only those banks and credit unions that participated in its development (along with their partners), the guidelines and standards that it proposes will have a profound effect on the development of NFC mobile payments in Canada. Any mobile service providers, mobile device producers, app developers, credential issuers, acquirors or merchants seeking to become active in the NFC mobile payment ecosystem will benefit from a detailed understanding of the Reference Model.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2017 by Torys LLP.
All rights reserved.