Samsung Pay: New Mobile E-Wallet in HK

Samsung has launched its eponymous mobile payment services via Samsung smartphones exclusively since May, we think it is the moment of trut to check its competitiveness to Android Pay and Apple Pay after a month of its launch (We have a blog introducing these payment technologies here).

What are Samsung Pay, Android Pay and Apple Pay have in common?

The 3 mobile payment services are using tokenization technology to encrypt customer’s’ identity and card details to realize unprecedented data security and protection.

Over the decades, credit cards has been the dominant medium of cashless payment method in retailing for decades, although enormous resource has been poured in security enhancement (such as the incorporation of smart chips in the cards additional to magnetic strips), the customers’ cards information (e.g. name of owner, card number, etc ) is inevitable exposed to the merchants of physical or digital store in checkout and are recorded their hands, where vulnerability occurs so security breaches take place.

To prevent the unauthorized access to the payment cards, the card issuers put their eyes on smartphones. Thanks to the popularity of smartphones which are mobile, personal, packed with massive processing power and ability of stable internet connection, the card issuers come up with an idea: to substitute the true card’s number by a random number which is stored in customer’s mobile phone and transfer it to merchants in checkout instead of the true number. The encrypted card number can only be decrypted by the financial institutes behind the customers and merchants to complete the money transfer. After a decade of joint-development, the collective technologies adopted namely “tokenization” is pushed to the market in which acts as the backbone of data security in mobile payment services like Android Pay, Apple Pay, and Samsung Pay.

The objective of tokenization is to protect the customer’s payment card information by substituting the card’s number with a unique alphanumeric identifier, or token, generated using proprietary algorithms. The token is then used for sending the transaction to Token Service Provider (TSP), where it is decrypted and the actual card number is retrieved, the transaction is authorized in card issuers who obtain both the token and actual card number. The TSP is a secure vault (with the payment processor or bank) and does not reside on the system not only on merchants but also mobile service providers like Samsung, Apple, and Google. Security risks inherent in the collection and transfer of highly sensitive data between merchants and the card’s payment network is highly reduced because the token is not mathematically reversible thus only the parties who have the original key used to create the token can use it. The chance of payment card’s information being stolen or compromised is much limited.

Currently, Apple Pay, Android Pay and Samsung Pay are using the standardized tokenization technology defined by EMVCo, an organization jointly held by Visa, MasterCard, JCB, AmercianExpress, China UnionPAy, Discover and other major card issuers to standardized this technology. TSP are basically owned by these card issuers or their subsidiaries.

How is the token generated and stored in smartphones?

In general, the token is generated by the TSP who are authorized by the customer to obtains the card information and a set of identifiers of the smartphone. The token is then sent to a vault namely Secure Element (SE) in the registered smartphone. EMVCo has standardized the tokenization method, it does not control how SE reside in smartphones. Apple, Google and Samsung have their own approach on SE implementation in their smart device:

Apple Pay:
Apple iPhone and iOS are Apple’s proprietary hardware and software, SE in iPhone is a piece of hardware incorporated into the processor chip.

Android Pay:
Android is a open ecosystem thus Google can’t standardized Android phone manufacturers to put a hardware SE in their smartphones. Google tackles this difficulty of diversified smartphones specification by software route – a piece of cloud-based software are incorporated into Android system to store the token. In other words, the SE in Android smartphones are emulated and exist in software form in order to comply to EMVCo tokenization standard across different hardware specification. This emulated SE is named Host Card Emulation (HCE) in Google terminology.

Samsung Pay:
Samsung acknowledges only its Galaxy smartphone launched after fall of 2015 are compatible to Samsung Pay but We have no clear information from Samsung Pay how SE is incorporated in their devices.

As a customers, how can I start to pay by my smartphone.

Preparation:
You are in the supported area of these services, and you have at least one payment card which is issued by the supported card issuer, and you have a compatible smartphone.

Hong Kong is the supported region of Apple Pay, Android Pay and Samsung Pay, and credit cards from major Hong Kong banks are compatible with.

For Samsung Pay and Apple Pay, you can check if your device is included in their compatible device list. For Android Pay, you need to consult with your phone’s manufacturer.

Registration: 
You need to link your payment card with your phone.

Make sure your smartphone is connecting to the internet during the registration, open the respective payment service application i.e. Wallet, Android Pay and Samsung Pay for Apple, various Android, and Samsung smartphones. You can follow on-screen instructions to “add” your card into the app. Your card issuers may require active mobile service as a mean of authentication.

In this step, your actual card information is sent to TSP and in turn your card issuer. If these financial institutions approve your application, your actual card information is stored in TSP, and tokens are generated and sent back to your device after registration.

You are highly advised to register your biometric trails such as fingerprints in your smartphone as a mean to protect your phone from unauthorized access. Owner of Galaxy S8 smartphone can register your iris patterns in addition to fingerprints.

Making Payment:
When you are about to pay by the mobile payment services in physical stores, you must head to sales terminals which are compatible to contact-less payment (which uses Near Field Communication “NFC” technology) and your payment services. You can always see the supported service providers symbols at the checkout.

For users of Samsung Pay which also supports Magnetic Secure Transmission (MST), you can use Samsung Pay at almost any merchant accepting credit cards in Hong Kong.

On the other hand, you can use these services to pay at digital checkout when the merchants can accept these.

In either physical or virtual checkout, your actual card information is no longer transferred to the merchants, adding a level of security to your payment information that physical cards do not have.

Advantages of Samsung Pay

• Payment authentication by iris (exclusive to selective Samsung smartphone models)
• Supporting every payment card terminals (support to both contact-less and magnetic strip enabled checkout machine)