While NFC-enabled payments are taking the payments market by storm, some areas are yet to adopt them in full force. Israeli start-up WiseSec hopes its Bluetooth technology will facilitate widespread adoption of mobile payments, which is currently being hampered by the lack of NFC-enabled smartphones in the region. Robin Arnfield reports
"The big issue in mobile payments is that NFC technology is still only on around 30% of smartphones worldwide, but Bluetooth is on all smartphones," says Vadim Maor, WiseSec’s CEO.
Yokneam, Israel-based WiseSec, which was founded in 2011, has developed Bluetooth Low Energy (BLE) based mobile location technology which enables consumers to carry out NFC-like transactions without requiring NFC infrastructure. The privately-held company says its partners include US telecoms carrier AT&T and telecoms industry customer experience software vendor Amdocs.
BLE is a protocol that enables Bluetooth 4.0-based smartphones to communicate with in-store BLE-based wireless transmitters known as Beacons.
Because it uses Bluetooth, WiseSec’s system isn’t dependent on cellphone networks, Wi-Fi links or GPS communications.
A WiseSec BLE-based beacon senses when a customer with a smartphone, with the retailer’s mobile app running, has entered the store. The beacon locates the customer’s smartphone, and, assuming the customer has consented, sends promotional messages about nearby items in the store to the phone.
Once the customer is ready to make a purchase, the beacon triggers the launch of the customer’s mobile wallet, enabling them to make a point-of-sale payment by tapping their smartphone against a WiseSec-supplied BLE touchpad.
WiseSec’s technology verifies the customer’s identity, smartphone and location and passes this information to their card issuer to authenticate the customer’s phone and mobile payment app.
WiseSec has developed a patent-pending Bluetooth-to-NFC converter which enables consumers to make NFC payments with any smartphone on the market, even if it isn’t NFC-enabled.
"We’ve developed a bridge between the Bluetooth and the NFC worlds," says Maor. "Our converter is a low-cost, plug-and-play device which translates Bluetooth communications from the customer’s smartphone to NFC format."
Guy Frak, WiseSec’s Executive Vice President, International Business, says the converter works with existing terminal-based POS systems or other types of payment terminals such as card readers in public transit stations.
"Metro transit operators want to be able to accept mobile payments for tickets, but they need to replace their existing card-accepting terminals with NFC-enabled terminals," he says. "With our converter, POS terminals and metro transit terminals can accept Bluetooth and NFC payments without any change to their hardware or software."
In WiseSec’s business model, merchants and banks can either pay a licensing fee per WiseSec device, or they can install free WiseSec devices and pay WiseSec a per-transaction fee, Maor says.
"We aim to be a cross-platform alternative to Apple Pay, Android Pay and Samsung Pay, the drawback of which is that they only work on specific makes of smartphone," says Maor. "Another benefit of our mobile payment system is that it can operate in online and offline mode."
Initially, WiseSec just offered a point-of-sale touchpad connecting via cable to a POS terminal’s USB port. It has now developed a USB-based Bluetooth dongle which works in combination with a WiseSec-supplied wireless touchpad to enable mobile payments at PC-based POS systems.
"A merchant wanting to accept mobile payments can either use the converter or the dongle, depending on whether they have a PC- or terminal-based POS system," says Maor. "The dongle plugs into a POS system’s USB port, but the touchpad is stand-alone, as it is wireless, so it doesn’t need to be next to the POS device. Both the convertor and the dongle behave as a beacon in addition to their main payments functionality."
Maor says the dongle is currently going through PCI (Payment Card Industry) certification.
Apart from plugging in the dongle, merchants don’t have to make any changes to their payments acceptance infrastructure, and they don’t need download any software, Maor says.
"The dongle will plug into any make of POS system, including closed-loop terminals," he says.
When the customer taps their smartphone against the touchpad to initiate a payment, WiseSec obtains their payment card data including their card’s Track Two data from their issuer. "WiseSec tokenises this card data all the way from our server to the dongle or convertor," says Maor. "The user can’t access this data as it is protected by our system, and trying to hack the server will fail because, after tokenisation, the original data is deleted and not stored on the server."
WiseSec encrypts all transaction data in transit between the merchant and its server using military-grade encryption, and uses an additional layer of tokenisation to protect data in transit.
Tokenisation is a security technology which replaces actual payment card numbers with one-time numbers, so a customer’s real card numbers isn’t visible to a merchant. Only the tokenisation service provider can restore tokenised numbers to actual card numbers, a process known as detokenisation.
Frak says WiseSec is seeing considerable interest in its payments technology from banks and payments services providers in China, especially in the public transportation field.
"We will be rolling our mobile payments system out at the beginning of 2016 with one of the Israeli banks," says Maor.
Maor says a financial institution can deploy WiseSec beacons in its branches to identify and communicate with customers’ smartphones which run its mobile banking app.
"By placing our beacons in their branches, banks can offer personalised marketing messages to their customers," says Maor. "Also, the beacons can alert the staff when customers enter the branch. For example, if a VIP customer comes in, the beacon can send a message to the manager to personally greet the customer."
Cardless ATM access
WiseSec has developed a version of its technology enabling consumers to withdraw cash from ATMs using smartphones.
ATM deployers need to install a WiseSec BLE sensor inside their ATM which recognises customers who have downloaded their issuer’s cardless ATM withdrawal app. To make a withdrawal, the customer taps their smartphone on the designated area on the ATM – identified with a sticker – enters a PIN on their phone and then enters their ATM PIN on the ATM’s PIN pad.
"Our location system requires zero distance proximity, which means it is triggered when the customer’s phone is one centimetre from the ATM," says Frak. "Zero proximity is one of the security factors for our ATM technology. Waiting in line, even second in line, won’t activate a request for the customer’s PIN."
Like WiseSec’s mobile payments system, its cardless ATM access technology uses tokenisation to protect customers’ card data.
Comparison with other cardless ATM technologies
Unlike mobile ATM withdrawal systems that use QR codes and one-time authentication codes, WiseSec’s technology requires mobile ATM withdrawals to happen without any delay, similar to plastic card ATM withdrawals.
"With QR codes or one-time PINs, customers may be given several hours to pre-stage and complete their transaction, which introduces a security risk," says Frak. "Another advantage of our system is that, whereas QR codes and NFC-based ATM withdrawals operate only at the transactional level, we can leverage Bluetooth to enable two-way messaging between customers and their issuer. This means that the ATM can transmit promotional messages to the customer’s phone."
WiseSec says its technology enables cardless ATM withdrawals at considerably less cost than upgrading an ATM to accept NFC transactions. Installing an NFC reader at an ATM can cost an estimated $4,000.
In March 2015, WiseSec signed an agreement with two major Israeli banks to deploy its smartphone-based cardless ATM technology. "These banks are now using our technology at their ATMs," says Maor. "Our technology is the only cardless ATM access system to have been approved by the Bank of Israel," says Maor.
The Bank of Israel, the country’s Central Bank, acts as a regulatory and approval body for the Israeli Ministry of Finance.
"The Bank of Israel took nearly a year to approve WiseSec’s technology, which shows how seriously it investigated the system," says Maor. "We’re now working with several large banks around the world including some Asian banks to launch pilots of our cardless ATM technology."
The analysts’ opinion
BLE has immense potential for a variety of use cases from retail to financial services to manufacturing," says Ben Knieff, a Senior Analyst at U.S.-based consultancy Aite Group.
He says: "Beacons can help connect the online and offline worlds in very interesting and powerful ways, and, for many use cases, particularly consumer applications, BLE could be a much better approach than NFC. Using BLE dramatically extends the consumer reach as a large portion of the devices on the market today support BLE, while far fewer support NFC."
"There’s definitely a lot of interest in using the Bluetooth channel for mobile payments," says Christie Christelis, president of Canadian consultancy Technology Strategies International.
He adds: "But, to succeed, WiseSec will need to develop relationships with a lot of players in the financial services industry. Also, eventually the lack of availability of NFC-enabled phones will no longer be an issue, as all smartphones will come with NFC antennas and SIM cards, just as they all have cameras today."
Cardless ATM transactions are an excellent use case for BLE, says Knieff.
"WiseSec’s technology seems well adapted to cardless ATM transactions compared to some other efforts that have been put forward in the UK and Japan," he says. "The improved customer convenience and authentication associated with the mobile device plus location data can be very secure and powerful."
However, Knieff says that, while there has been a big push to use BLE-enabled beacons in US retail outlets to identify customers for marketing purposes; actual in-store beacon deployment has been limited so far. One example is Target which in August 2015 launched a Bluetooth beacon pilot in 50 stores across the US enabling customers who have downloaded the Target iPhone app to receive product offers and recommendations on their smartphones.
Knieff adds that GPS technology provides a lower-cost alternative method to locate and identify customers compared to Bluetooth.
"The advantage of using GPS over Bluetooth is that you don’t need to use extra hardware," he says. "My research has found that, with GPS you only have to be accurate to around 500 metres about the user’s location to prevent fraud. If someone is carrying out a card transaction, for example, and their issuer can locate their mobile phone to 500 to 1,000 metres, they can be fairly confident the transaction is genuine. They can also send the customer an SMS message as a challenge."