mobile transaction payment processing

7/29/2019 Mobile Transaction Payment Processing

1/40

W h i t P

Mobile Transactions andPayment Processing

Ashok Goudar

Senior Enterprise Architect


2/40

Introduction 4

Mobile Commerce Business Context 5

Mobile Commerce Strategy 6

Mobile Channel Strategy 7

Mobile Marketing 7

Mobile Sales 8

Mobile Service 8

Mobile Payment 9

Mobile Wallets 9

Mobile Commerce Transaction 10

Mobile Banking and Mobile Money 10

Mobile Commerce Transformation Roadmap 11

Mobile Commerce Payment Business Scenarios 11

Card based Mobile User to Business Payments (CM2B) 11

Mobile Wallet User to Business Payments (M2B) 12

Mobile Wallet Mobile Users to Mobile User Payments (M2M) Remittance Services 13

Mobile Wallet CrossBorderM2M 14

Mobile Wallet Cross Border M2Account. 15

Mobile Commerce Payment Processing Models 16

Card based Mobile Payments 16

Direct Card Based Mobile Payments 16

Indirect Card Based Mobile Payments 16

Cardless Mobile Payments 16

M-Wallet Mobile Account Based Payments 16

Contactless Mobile Payments 17

Sync and Async Payment Transactions 17

Mobile Commerce Solution Architecture 18

Mobile Commerce Transaction Scope - flows 18

Mobile Client Presentation Layer 19

Mobile Commerce Transaction Layer 22

Contents


3/40

Payment Messaging Authorisations, Settlements and Reconciliations. 23

Payment Gateway Integrations 24

Telco Operator Integrations 24

SMS Integration 25

USSD Integration 25

WAP/ WML Content Integration 26

B2B Mobile Commerce Content Integrations 26

Back Office Integrations 27

Business Intelligence 27

Business Activity Monitoring 28

Mobile Commerce Payment Security 28

Tokenisation and End to End Security for PA-DSS compliance 30

NFC- Based Mobile Commerce Payments 30

NFC Card Based Payment Processing 31

NFC Mobile Wallet Processing 31

NFC Sales and Marketing Content Model 32

Application Architecture Mobile Transaction Processing 33

Deployment Architecture - Indicative 34

Network Connectivity 35

Conclusions 38


4/40

Usage of mobile devices to conduct day-to-day

communications, collaborations and business transactions,

is growing exponentia lly. More and more users are opting for

mobile channels, as part of their daily routines, to manage

various aspects of their both business and personalactivities. Business organizations have recognized this

significant shift in their customer choices and preferences,

which indicates the constant increase in customer affinity

for mobile based transactions. At the same time, mobile

technology itself has undergone tremendous levels of

innovations and evolutions, resulting in more and more

powerful mobile devices and communication channels being

made available, that are capable of handling a variety of

practica l communication and business transactions. In the

recent past, the computing power and network bandwidth of

mobile devices and mobile communication channels have

Introduction

advanced to such an extent that the difference between mobile and desktop computing is

drastica lly diminishing. Many business organizations , across all industry sectors, have quickly

identified the emergence of business grade mobile technology and have strategically adopted

mobile channel as one of their key eCommerce business channel to conduct their sales, service,

and marketing operations and business processes, relating to their mobile commerce business

models. As mobile technology is growing, so is the payment techno logy, which now enables

end-to-end payment processing in context of associated business (sales) transactions, making it

possible to conduct an entire business transaction along with associated end-to-end payment

processing, over the mobile channels, offering enormous flexibility to customers, as to how,

where, and when they can initiate their business transactions in real time. The payment

processing industry, keeping in line with the potential and constantly increasing growth of themobile commerce, has floated a variety of mobile payment processing solutions and models, that

can be leveraged to relevant mobile communication services such as GPRS, USSD, NFC, Wi-Fi,

Bluetooth, SMS, WAP etc. The increase in wireless bandwidth and highly available mobile network

infrastructure backbone provided by various mobile network operators , have further increased

the stability, reliab ility, and quality of service in wireless mobile transactions, making the mobile

channel more and more reliable for business critical mobile commerce models. Keeping with the

growth in the mobile communication techno logy, the software vendors, service providers and

industry forums, have been offering newer and enhanced mobile operating systems (Windows

mobile 7.0, Android OS, Symbian, Blackberry OS, Apple IOs4 etc), APIs (J2ME, Window 7 mobile

SDK, Android SDK etc), development tools (along with emulators) and technology standards for

mobile computing, making it possible to develop and host a variety of mobile transaction

processing solutions for mobile commerce. In this context, this paper further discusses solution

architecture of a target mobile transact ion and payment processing framework for mobile

commerce transact ion processing. The paper also briefly touches upon various mobile commerce

business models and solution architecture for business scenarios (conducted on different mobile

communication technologies ), that are addressed by the target mobile transaction and payment

processing solution framework.

I Mobile Transactions and Payment Processing White PaperI


5/40

Mobile Commerce Business Context

Mobile commerce is not only an extension of an eCommerce business model but also an innovative

commerce model, where in a variety of commerce transactions are conducted over mobile channels. In

mobile commerce, many business organizations, in addition to traditionally established channels (field

sales, branch offices , front offices, web channel etc) use mobile channels to conduct their business

operations in sales, service, and marketing areas.

A typical mobi le commerce ecosystem, in addition to end-customers, comprises of mult ip le

participants including business organizations, retailers, telecom network service providers, mobile

transaction processing service providers , payment gateway service providers, acquirers ,

intermediaries , issuer banks, and a variety of settlement service providers .

In a mobile commerce business model, end users will be able to buy the products and services from the

merchants (or business organizations) and make payments for services and products through their

mobile devices. The services and products are either directly delivered to the customers through their

mobile devices (if they are content based serv ices) or else shipped to their addresses through shipment

and fulfilment processes. As part of the mobile commerce model, users will be able make the payment

in a variety of ways over the mobile channels, either using their credit/debit cards or through cardless

Figure 1: Mobile Commerce Transaction Processing Context

Mobile Transactions and Payment Processing White PapeI


6/40

(contactless ) payment mechanisms through their mobile wallet accounts.

The mobile commerce services (products and saleable services) are presented to the customers either

directly through the mobile channel or through other channels (mediums) depending upon the nature of

the services sold. Once the business transaction is completed, the users can make payments directly

through their mobile devices. One of the key aspects of mobile commerce model is that, the services

and products are offered to the customer through mobile friendly commerce transaction services ,

through mobile channels, which can enable the users to make their purchases directly through their

mobile devices. Mobile commerce can provide great flexibi lity to the end users in the way, in which

they conduct their purchasing operations.

A well formulated mobile commerce business transformation strategy is essential to achieve the mobi le

commerce (m-business) business goals. Typically in many organizations across industry verticals , the

mobile commerce model is seen as an augmentation or an extension to the existing brick-mortar, e-

commerce and e-business models, taking the business services to the consumers over mobile

channels. In some other small and medium business organizations and start-ups, the mobile commerce

model could be the main business service model, which will enable those organizations to reach theircustomers, effectively through mobile channels. Due to the shifting habits of the consumers and

flexibili ty associated with mobile enabled business interactions , the mobile commerce model is taking a

prominent place in the business strategies of many organizations. A mobile commerce strategy defines

the outlook of the proposed mobile commerce model (in other words m-business model), across key

aspects of the mobile commerce business model. The scope of the strategy for mobile commerce

includes the following:

Mobile Commerce Strategy

Figure 2: Mobile Commerce Strategy Transformations

I IMobile Transactions and Payment Processing White Paper


7/40

Mobile Channel Strategy

Mobile channels play a critical role in successful acceptance and adoption of mobile commerce, mobile

payment, and mobile banking solutions. The technology of the mobile devices, users knowledge on the

mobile technology, users familiarity, and comfort with mobile channels, will impact the levels of

adoption of mobile business models. The following are the key mobile channels, through which target

mobile services are delivered to the consumers.

SMS Channels SMS messages are widely supported by wide array of basic as well as most

advanced mobile devices, and majority of the customers (both educated and uneducated) can use SMS

messages to conduct mobile transactions through their phones. However the costs associated with

SMS channel based mobile transaction processing can be relatively higher compared to other mobile

channels. Also the mobile transaction security with SMS channels can pose few challenges from

regulatory compliance perspect ive. In certain geographies, the SMS channel is the only viable channel

that can reach large number of mass mobile users. The SMS channel strategies eva luates the pros and

cons of SMS channel with respect to the business model and formulates a solution strategy that can

leverage to SMS messages.

USSD Channel This is a more secured channel compared to the SMS channels, requiring higher

levels of Telcos participation (USSD gateway service provider) in the mobile transaction model. USSDchannel is supported by a wide range of mobile devices; however the USSD command model itself

differs from one Telco carrier to another Telco carrier, resulting in higher levels solution implementation

costs. As with SMS texts, USSD mobile commands are relatively easy to use and hence can appeal to a

wide range of customers. The strategy for USSD channel, dete rmines how, where, and when the USSD

based mobile commerce solution can adopted to realize the underlying mobile commerce business

models.

Mobile Browser Channel (mobile optimized and WAP sites) The mobile device resident mobile

browser is used to access the mobile customized WAP or web applicat ions, with which customers can

engage in various types of mobile business transactions. This channel can be widely used by educated

users (technicall y savvy) and at the same time many uneducated or under-educated customers may

find this channel diffi cult to use. This channel is relatively easier to adopt, since the existing web

channels and web applications can be quickly customized for mobile devices.

Mobile Application Channel In this channel, the mobile device specific (APIs, OS) mobile

applications are used to conduct the mobile transactions. The mobile applications are device specif ic

and are OS specific, and usually prov ide rich user interfaces for the mobile devices . The cost

associated with mobile application channel is relatively high, as the applications needs to be developed

to a specific set of devices and also the customer coverage is some what restric ted to those specific

devices, upon which the specific mobile applications can run. The rich user interfaces and secured

transaction processing capabilities offered by application APIs, can be very useful to bring tailored

mobile solutions to target customers.

NFC and contactless mobile channel This channel is supported on NFC enabled mobile devices,and can be used to realize contactless mobile based business transactions, such as mobile marketing,

mobile payments, and various types of mobile promotions, including location based services. In case of

payment processing, the NFC channe l also requires NFC enabled POS devices at the merchant

locations. This is one of the key an emerging mobile channels that needs to be considered while

defining an organizat ions mobile commerce business strategies.

Mobile Marketing

Mobile marketing is a business strategy as to how, where, and when the marketing services can

leverage to mobile channels to achieve maximum marketing effectiveness. Effective mobile marketing

strategies include the following:



8/40

Mobile Campaigns Campaigns targeted to selected customer segments over mobile channels.

In-Store Promotions Promotional campaigns aimed at customers when they are within a store,

offering discounts through mobile channels.

Location Based Services Services, promotions, and coupons etc offered, based on the

customers current location. Such campaigns can influence customer buying habits.

Coupon Offerings Coupons and discounts offered through mobile channels. The mobile

commerce strategy will also ensure mobile based coupon redemptions during point sale

transactions.

Mobile Barcode Campaigns A marketing strategy where the mobile bar codes are used for

product and service promotions. User devices, when they scan the mobile barcode, will receive the

mobile content often consisting of product details, promotions, discounts, vouchers, and coupons.

Mobile Personalization Tailored marketing campaigns over mobile channels , which are based on

users profile, preferences, habit s, and affinities.

Mobile Sales

Mobile sales stra tegy for various products and services , to be sold either directly over the mobile

channels or through the support of mobile channels with other sales channels. A mobile sales strategy

can include the following:

Mobile point of sales strategy How the potential end users can use their mobile devices to

make purchases at the point of sales locations .

Mobile catalog services How the products and services can be presented to the customers

through mobile customized product and service catalogs.

Mobile coupon redemptions How, where, and when user can use their coupons, discounts in the

context of their purchases over mobile channels.

Mobile optimized commerce sites How the commerce websites can be optimized and delive red

to the customers over mobile channels.

Cross and up-selling models How mobile channels can be used to increase revenues through

cross selling and up-selling models.

Event and geography location based selling How event and users location based sales can

be increased over mobile channels.

Mobile Service

A mobi le service strategy addresses the service model that needs to be adopted in the context of

mobile channel enabled business models. A service strategy for a mobile commerce business model

includes the following:

Fulfi llments Strategy for post sales deli very and shipments of the products and services sold over

mobile channels.

Returns Strategies for handling post sales return for the products and services sold over mobile

channels. This will include processing of payment returns.

Inventory Management Deals with the inventory management of a mobile commerce business

model.

I IMobile Transactions and Payment Processing White Paper


9/40

Contact and Call Centers Post sales help and call centers for the customers .

Mobile Payment

This is a mobile strategy for accepting and process ing of payments over the mobile channels, in the

context of mobile commerce sales transactions. The mobile payment strategies can include:

Card based mobile payments How the mobile commerce business model and strategy supportscard based payment acceptance . The card based payment strategy outlines the model for supported

cards types, geography based payment gateway services, and cross border card based payments

over mobile channels.

Contactless card based mobile payments Deals with the contactless card based mobile

payments using mobile devices (with NFC technology).

Cardless mobile payments Include the strategies for accepting the payments through cardless

payment models such as mobile wallets.

Carrier Bill ing A mode of payment strategy where in the mobile sales transactions are charged

against the user carrier billing , which are paid by the users either with pre-paid or post-paidcontracts.

Mobile Wallets

A mobi le wal let based payment strategy deals with how, where and when the payments, can be

accepted and processed using the users mobile wallet accounts. The strategy also defines how the

mobile wallet accounts are integrated with the commerce transac tions to process the associated

transaction payments. The mobile wallet payment options include the following:

Prepaid Here the users top up their mobile wallet accounts upfront and such mobile wallet

accounts are used to make the payments in context of the mobile sales transactions.

Post-paid In this case , a users mobile wallet account is linked to his or her carrier bi lling

account. The mobile sales transactions are paid with the users mobile wallet account, which in turn

is charged to the associated mobile bill ing account that is usually paid on a monthly or quarterly

basis.

Card linked mobile wallets In this mobile wallet strategy, the mobile wallet accounts are linked

to users debit or credit cards. In a mobile sales transaction, with card linked mobile wallet payment,

the final payment is made from the wallet account that is linked to users cards.

Carrier hosted Wallet Service In this wallet payment strategy, the wallet services are primarily

provisioned by a carrier (telecom network operator or mobile service provider), in partnership with

participating banks and financial institutions to link mobile wallets with users card services. The

payment settlements are done between the carrier and participating financial institutions . Thecarrier alone maintains the mobile users wallet accounts and provides complete mobile payment

transaction support.

Financial institution hosted wallet service In this strategy, the mobile walle t services are

hosted by financial institutions (such as payment service providers , and payment network service

providers, banks ) in partnership with related Telco or carrier service providers. The FIs will maintain

the users mobile wallet accounts in relation with their card accounts. In such a model , the telco

(carriers) will be mainta ining the user mobile accounts and will be participating in the mobile

payment transaction.



10/40

Business hosted mobile wallet service In this strategy, the mobile wallet services are hosted

by an independent mobile payment transaction service provider(s) , along with the participation from

telecom carriers and financial institutions.

Mobile Commerce Transaction

This strategy defines the mobile transaction based business model in which various services both

internal and external (partner content serv ices) are offered to the customers. In this model, a variety of

industry specific mobile commerce transaction services are sold to the customers over mobile

channels and associated payments are also processed over mobile channels. It also formulates mobile

application strategy that can support various mobile commerce transactions. The mobile transaction

processing strategy further includes the following:

Content based mobile commerce transactions - In this model, the mobile device and channel

compliant content services such as music, games, videos, movies, gigs etc., are sold to the

customers using mobile channels and associated payments are processed either through card based

accounts or through wallet accounts including carrier billing models.

Mobile bill payment transactions This mobile commerce business model enables the end users

to make their bill payments (various types ) directly through their mobile devices , using their card

accounts or mobile wallet accounts.

Mobile ticketing services In this mobile commerce business strategy, various types of ticketing

services (movies, enterta inments, concerts, games, sporting events etc) are sold over the mobile

channels and payments for such sales transactions are processed with card accounts or with mobile

wallet accounts through mobile channels.

Travel booking services This business model offers various types travel (bus, air, train, taxi,

ships, ferries etc) and hotel related booking services are offered over mobile channels.

payments for such sales transactions are processed with card or mobile wallet accounts.

Industry specific mobile commerce transactions - These are the industry specifi c mobilecommerce business transaction models, where in industry specific services are sold to the

customers over the mobile channels. Such serv ices are very specific to the concerned industry such

as insurance, retails, telco, finance, government etc.

Mobile Banking and Mobile Money

The strategy for mobile banking and mobile money transfers, involves formulating the business models

and approaches to extend the banking services and money transfer facilities over mobile channels. A

mobile banking strategy aims at providing complete banking faciliti es to the customers through their

mobile devices. The following are the key flavours of this strategy:

Mobile retail banking This business strategy aims at bringing the key retail banking services

such as statements, balance enquiry, check deposits, money transfers, bil l payments, direct debits

etc to the customers over the mobile channels.

Mobile cheque deposits This business service allows the customers to make cheque deposits

remotely.

Mobile peer to peer payments Allows the users to make money transfers or payments direc tly

to one an other, using mobile channels, either using their mobi le wallet accounts or with their bank

accounts including card accounts.

Mobile money transfers Mobile enabled local and cross border money transfers can help many

customers to make money transfers easily from their mobile devices, either using their card/bank

0I IMobile Transactions and Payment Processing White Paper


11/40

accounts or through their mobile wallet accounts. This strategy defines the mobile enabled money

transfer business models and associa ted solutions. The cross border international money transfers can

involve multiple local and international participants including FIs, banks, and cross border settlement

solutions.

The mobile banking services can be provisioned through user chosen (compatible) mobile channels

such as text/sms, dedicated mobile application , and mobile customized web application sites that are

accessible through mobile hosted browsers.

Mobile Commerce Transformation Roadmap

A well planned mobile commerce transformat ion roadmap can help the organizat ions to real ize their

mobile commerce business goals and achieve their target mobile commerce business strategies. A

mobile commerce transformation roadmap in an organization depends upon business priori ties,

business sponsorships, and several internal and external dependencies . In a mobile commerce

business model, such a transformation can also depend upon technical feasibili ty and technology

options available. A mobile commerce transformation roadmap can differ from organization to

organization depending upon the current state of business and technology models, business priori ties,

and target markets. In general, in many organiza tions a typical mobile commerce journey starts with

mobile marketing services, and graduall y moving towards a complete set of mobile commerce business

model, offering full services over mobile channels . In some other organizations such as banking, the

priority would be mainly on customer reach and satisfact ion, which may put priority on mobile self

service models for payments and retail banking. Likewise, the transformation roadmap depends upon

multiple factors, and hence such a mobile transformation roadmap definition and planning needs to

take all influencing factors in to account. The following figure shows an indicative mobile commerce

transformation roadmap. It is important to note that there no one common transformation roadmap for

all mobile commerce initiati ves in different organizations. It may be noted that the key mobile

commerce initiative are not necessarily be taken in sequential manner, many times such initiati ves are

handled in parallel within the scope of an overall mobile commerce transformation programme for the

organization.

In the context of mobile commerce transactions, the usage of the mobile technology, in order to

facilitate flexible payment options, can be envisioned to support multiple mobile payment scenarios,

practically seen in a variety of day-to-day business operations.

In this section, based on the context of the mobile payments and the associated mobi le commerce

transactions, the following key mobile payment business scenarios are discussed .

Card based Mobile User to Business Payments (CM2B)

In this payment scenario, the mobile users make payments to the businesses or the merchants, through

their payment cards (credit, debi t, etc) through the mobile channel.

Mobile Commerce Payment Business

Scenarios

Figure 3: Mobile commerce - Payment business scenarios



12/40

In this mode, the users actually conduct their mobile commerce transactions and make the payments

against the bills (invoices) genera ted, through their mobile devices, using their payment cards.

Following are the key steps performed in this scenario. (Depicted in Figure 4)

1. Users invoke the mobile commerce application from their devices.

2. Users are presented with the products and services along with their prices.

3. Users select products and services and add them to the shopping cart.

4. After verification of the bills, users perform checkout operation.

5. After checkout, user are presented with either a payment screen where users will enter their card

details and pin number (securely- login pins), to make the payments, or pre-stored payment card

details along with pin number are automatical ly taken for payments, based on user approvals .

6. The users payment details along with card details are passed to the respective payment service

provider (through mobile transaction service provider), for payment authorization and subsequent

settlement (payment is authorized against users account held in the issuer bank).

7. Upon authorization, the payment is either directly deposited merchant account or settled based on

pre-agreed settlement period, by the acquirer.

Mobile Wallet User to Business Payments (M2B)

In this scenario, the mobile users will directly use their mobile phones as wallets to make payments. In

this mode, there is no direct usage of the payment cards involved. The following are the key steps

performed in this scenario.

1. Users invoke the mobile commerce application from their device.

2. Users are presented with the products and content services along with their prices.

3. Users select products and services and add them to the shopping cart.

Figure 4: Card based Mobile User to Business

Figure 5: Mobile Wallet for Payments (M2B)



13/40

4. After verification of the bills (invoices) , users perform checkout operation.

5. After checkout, users are presented with a screen to enter their mobile wallet entry pin, to make the

payments.

6. Upon receipt of the wallet account pin, the users mobile SIM number or any such uniquely

identifiab le numbers (and any pre-stored wallet number) along with pin is propagated to mobile

wallet service provider through mobile transaction processing service provider. Upon authenticationand authorization of the user wallet credentia ls, the mobile wallet service provider makes the

payments to associated merchant account, through standard acquirer, payment gateway service

provider networks. The merchant account is depos ited with transaction amount based on the pre-

agreed settlement periods.

7. Payment confirmation is sent back to the mobile user.

8. Mobile transaction is closed.

Mobile Wallet Mobile Users to Mobile User Payments (M2M)

Remittance Services

This is a mobile wallet based peer-to-peer payment scenario; where in the mobile users can make

direct payments other mobile users through their m-wallet accounts. No card based payment is

involved in this scenario. The recipient (beneficiary) may either receive the payment into their m-wallet

account or into their back accounts, based on the payment instructions .

The following are the key steps involved in this type of payment scenar io:

1. User invokes a special purpose mobile commerce application for peer-to-peer payments, in their

device. This application facilitates payments either directly to the recipients (beneficiary) m-wallet

account or to the associated bank account.

2. User is prompted to enter the payment instruction details in the application including the peers

wallet or bank account identification details.

3. User is prompted for the m-wallet pin number.

4 Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet

service provider through the mobile transaction service provider.

5. Upon validation of the payment instructions along with users credential details, the following

payment deposit actions are performed:

a. If the recipients m-wallet details are provided, then the payments are made directly to the

recipients m-wallet account. Payment confirmation is sent back to the user.

Figure 6: Mobile Wallet M2M Remittance Services

Mobile Transactions and Payment Processing White PaperI


14/40

b. If the recipients bank account details are provided, then the payments are made directly to the

recipients bank accounts, through settlement networks . Payment confirmation is sent back to

the user. Upon deposi ts into the recipients bank account, the recipient is notified o f the deposits

either through mobile channel or through other relevant channels which the recipient has opted

for.

6. Mobile transaction is closed.

Mobile Wallet Cross Border M2M

This is an international cross border mobile-to-mobile payment scenario, where in both payer and the

beneficiary use their m-wal let accounts during the payment transaction. I t is almost similar to the

previous scenario, except that in this scenario, there is an international cross border settlement

component involved.

The following are the key steps of this mobile payment scenario:

1. User invokes a special purpose mobile commerce application for peer-to-peer payments, in their

device. This application facilitates payments directly to the recipients m-wallet account.

2. User enters the payment instruction details in the application including the peers wallet details.


4. Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet




a. The cross border settlement transaction is initiated between the m-wallet service providers bank

account and the recipients m-wallet service provider bank account .

b. Upon settlement, the recipients m-wallet service provider deposits the money into recipientswallet service account.

6. Payment confirmation message is sent back to the payment initiator.

Figure 7: Mobile - Wallet Cross Border M2M Services



15/40

Mobile Wallet Cross Border M2Account.

This is a slight va riant of the previous scenario, where in the payment trans fer is done to the recipients

bank account or the transferred amount is directly paid to the end recipient (beneficiary). The following

are the key steps on this scenario

1. User invokes a special purpose mobile commerce application for peer to peer payments, in their

device. This application fa-cili tates payments directly to the recipients m-wallet account.

2. User enters the payment instruction details in application including the peers wallet details.


4. Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet




a. The cross border settlement transaction is initiated between the m-wallet service providers bank

account and the recipien ts bank account and the recipient end user is notified of the transfer.

b. For the cases, where the recipient is not having a bank account, the money is transferred to an

intermediary (based on the pre-agreed arrangement) account, from where the amount is

disbursed to the recipient through direct channels.

Figure 8: Mobile Wallet Cross Border M2Account



16/40

Mobile Commerce Payment Processing

Models

In many of the industry sectors, such as retail, telco, insurance, finance etc, the adoption of mobile

commerce business models depends upon the ability to securely process the payments through mobile

channels, over multiple mobile devices, buil t on different technologies. The key mobile payment

schemes that can enable a variety of mobile commerce business models, can be grouped into following

models:

Card based Mobile Payments

In these types of mobile payment schemes, the actual payment cards, such as debit cards, credit

cards, prepaid cards , post paid cards, gift cards, vouchers etc, are used make the payments through

mobile devices. Based on the context of business sales transaction , users are required to furnish the

card details along with the pin verification to make the payments. Card based mobile payments can be

further classifi ed into direct and indirect card based payment schemes. The card detai ls can be also

stored directly into memory or smart cards of the mobile devices.

Direct Card Based Mobile Payments

In this type of payment mode, the users will directly provide the card detail s at the point of making

payments. The user card details along with pin verification are used to make the payments, to the

concerned merchant accounts.

Indirect Card Based Mobile Payments

In an indirect card based mode, the users card details are reg istered with the payment serv ice

provider upfront, eithe r through web or mobile channels, and subsequent user payments are made with

a secure pin entry provided by the users. The users do not have to enter the card detail s at the pointsales step of the process.

Cardless Mobile Payments

Cardless mobile payment options provide the end users, to make payments without the need to have

the payment cards such as credit or debit cards. In these types of payment modes, primari ly, the

payment is made against the users mobile wallet accounts, which are monetaril y replenished though

various online or mobile payment modes. Cardless mobile payments can be broadly arranged into

following categories:

M-Wallet Mobile Account Based Payments

In this mode, basically the users mobile accounts are charged against the bills ( for the services and

goods), generated during mobile sales transactions. Such mobile wallet account based payments can

have further flavours such as:

Pre-Paid mobile payment accounts

In this type of contract, the users will buy the pre-paid mobile wallet accoun t value, by using top-up

services, to which the payment is made by using a variety of channels, including online, ATM etc.

Such pre-paid wallet accounts are further used during the mobile commerce transactions to make

actual payments.



17/40

Post-Paid Mobile payment accounts

Post-paid contrac ts enable the users to pay their mobile charges along with any other mobile

commerce charges on a periodical basis (monthly, quarterly etc), based on the contract type chosen

with the mobile wallet operator. During the mobile commerce transactions, the payments are

initiated against the post-paid mobile account, and regular bills are forwarded to the customer

(users) as per the billing arrangements.

Contactless Mobile Payments

The contactless mobile payments work more or less same as other types of cardless mobile payments,

except that the payment details appear on the mobile devices automatically, in the context of a

business transaction, when a mobile device is brought in the close vicinity of a concerned point of

sales (PoS) device . The NFC based mobile devices and contactless credit cards can engage with PoS

devices, to enable contactless payments. The ISO/IEC 14443 standards define the framework to

manage the contactless payment communica tions between a payment card reader (or NFC capable

POS device) and an associated payment card device (either card based or NFC device based).

Near Field Communication (NFC) Contactless payment

Near field communication technology leverages to the short range wireless technology that can

enable the communication between two devices whenever they come in the close vicinity of each

other. In the context of mobile transactions, this communication technology is furthe r used to initiate

payments from a NFC enabled mobile client device with a corresponding NFC enabled PoS device.

Sync and Async Payment Transactions

Mobile commerce payment transac tions can be conducted either in a synchronous or in asynchronous

mode. In a synchronous payment transaction, the users payment transaction is completed , along with

the underlying business sales transactions, which usually have atomic transaction scope. Usually, card

based mobile payments are processed though synchronous integration patterns .

The mobile transactions can also be handled in an asynchronous fashion using SMS, USSD mobile, and

other technologies, where in the entire mobile commerce transaction is conducted through a set of

related, but asynchronous business transactions.



18/40

Mobile Commerce Solution Architecture

A mobi le commerce solution architecture, that can support mobi le transaction processing capabi li ties,

needs to address the requirements that are unique (in addit ion to business requirements) to mobile

commerce, such as performance, security and relative instabili ty of the mobile wireless networks,

constantly emerging mobile technologies and wide range of mobile client technology specifications. It

is also important that the solution architectu re addresses all the non functional requirements such asscalabili ty, availability, PCI-DSS compliance , DPA compliance, and any other associated regulatory

compliance requirements . In this section we further discuss architectural detail s of the mobile

transaction processing solution framework that can support end to end mobile commerce business

models in many organizations .

Mobile Commerce Transaction Scope - Flows

A typical mobi le commerce transact ion can be viewed as either as an atomic or a long lived composi te

transaction (depending on the requirements), comprising of multiple participating sub transactions

(services) such as an order management transaction and an associated payment transaction. The

following diagrams shows a general transaction scope of a mobile commerce business transaction

In order to ensure a successful mobile transaction and to maintain transaction integrity, all the

individual steps in the scope are required to be completed; else appropriate rollback (compensation) is

required to be issued. In order to maintain payment transactional integrity, it is important to ensure

Figure 9: Mobile Transaction Processing Solution Framework



19/40

that the rollback of payments is achieved (by

issuing payment rollback instructions), incase any

part of the transaction fails to go ahead. However,

for practical reasons, it is also feasible to update

the orders manually, incase the payment is

successful , but order updation has failed.

However, if order is cancelled for some reasons

(usually by end users), then a corresponding

payment rollback transaction needs to be initiated

(depending upon the logic).

In order to improve performance, in some use

cases it may be useful to introduce asynchronous

mobile commerce transaction processing, whe-

rever it is feasible to achieve. This can be

achieved by breaking the entire mobile

transaction into manageable sub transactions that

can be meaningfully preformed in an

asynchronous manner, and still achieving the

completion of overall mobile commerce

transaction.

The client application layer of the solution

provides the mobile user interfaces, using which

the end user can conduct their mobile commerce

transactions. The key mobile commerce client

functions can be grouped into the following

modules, which are implemented using different

mobile client technologies

User Module provides the full functionality to

manage the user profile, which can provide all the

necessary information regarding the user, which

is essential to conduct mobile payment

transactions. The information can include user id,

user certificates, user card details including pin

(through secured storage), billing address,

shipping address etc. The following are some of

the key mobile use cases of this module:

Figure 10: Mobile Commerce Transaction Scope

Figure 11: End-to-End Full Transaction

Mobile Client Presentation Layer

Figure 12: mCommerce Transactions Presentation Layer Modules



20/40

Login - Enables the user to login into their mobile payment accounts.

Manage User Profile - Allows user to update and manage their mobile account.

Fillup Wallet Account - Make deposits to mobile account wallet account.

Make Mobile P2P Payments - Allows the user to make person-to-person mobile payments using

card or m-wallet account.

Make Mobile Money Transfers - Allows the users to make mobile money transfers.

Make P2P Payments / Money Transfers with SMS Allows the users perform P2P payment with

SMS based communication.

Make P2P Payments/ Money Transfers with USSD Enables the user to pay using USSD

messages.

Product and Service Module This module provisions the mobile commerce product and service

catalog services, using which users can browse the available services and products along with their

pricing details. The fol lowing key use cases are included as a part of this module.

Search Products and Service Catalog Allows the users to perform a quick search on available

products and services.

View products and service catalog Enables the users to view the products and services

available in a particular category.

Buy selected services with M-wallet account Enables the users to buy the selected product

or service with their M-wallet account.

Buy selected services with card payments Enables the users to buy the selected product or

service with credit or debit payment cards.

Buy selected services with M-wallet account using SMS Enables the users to buy theselected product or service with their M-wallet account, using SMS messages.

Buy selected services with M-wallet account using USSD Enables the users to buy the

selected product or service with their M-wallet account, using USSD messages.

Buy selected services with M-wallet account on NFC channel Enables the users to buy the

selected product or service with their M-wallet account, using NFC channel.

Orders management module (with payment processing) This is one of the key module, using

which, users can select the products and services and add to their shopping cart and subsequently

initiate mobile commerce orders. Internally, this module will use the mobile payment module to initiate

the mobile payments in the context of a placed order. This module includes the following main use

cases

Create shopping cart for an order Allows the users to create an order (shopping cart) by

selected products and services.

Add products and services to an order Users can add, delete, and update the order with

selected products and services.

Pay the order with M-wallet account Enables the users to pay the order with their M-wallet

account.



21/40

Pay the order with card payments Enables the users to pay the order with their credit or debit

card accounts.

System Admin Module Includes the mobile commerce application management functions, to set up

various systems configura tions that are used during live transactions. This module also enables the

users to maintain their address detail s, payment contacts, and any voucher and coupons which they

can use during payments. The following are some of the sample use cases included this module.

Manage user account Enables the users to maintain their mobile account details.

Manage user address Allows the users to manage their various addresses such billing address,

shipping address etc.

Manage users contacts To manage users payment contac t details.

Manage user coupons and vouchers Enables the users to manage their coupons and loyal ty

points etc.

The UI layer can be built using multiple mobile client technologies depending upon the operating

system and API supported by the individual mobile devices. Currently, multiple mobile operating

systems and mobile client apis (SDKs) are provided by major mobile software vendors in the market.Following are some of the key mobile client (micro edition ) apis (SDKs) (supported on respect mobile

OS) that can be used for developing the mobile client application layer:

Java ME Java Platform Micro Edition is a complete java based design time and run time

platform, supporting mobile technology with java run time. Java ME provides multiple APIs and JSRs

to support mobile application development. For the mobile client application development, one can

use some of the key apis such Java ME web service java ME Swing, Java ME Socket to develop

appropriate java mobile cli ent applications. A set of mobile technology JSR APIs are bundled, as a

part of the latest Java ME, to support a wide array of mobile applications .

Windows Mobile OS7 Window SDK is latest window operating system and SDK for window

mobile devices. Windows mobile SDK can support full cycle development of windows mobilecommerce clients, which can connect with the mobile commerce services hosted in the ser-vice

layer. Windows OS7 client will be able to run on mobile client devices that run windows Os7

Android Android Mobile OS is another major

mobile operating system along with relevant

SDK that can support full cycle development of

mobile commerce clients, which can interface

with mobile commerce services hosted in the

service layer.

ISo7 Is an Apple OS for Apple mobile devices

and smartphones supporting full cycledevelopment of the mobile commerce clients

that can interact with the mobile commerce

services hosted on the service layer.

SMS SMS based mobile commerce

connectivity has been successfully used, where

in the SMS messages are used to process the

mobile payment transactions in the context of a

mobile commerce transactions.

Figure 13: Mobile Commerce Service Layers



22/40

WAP clients: Wireless Application Protocol is a GPRS based protocol, using which WML based

mobile client application can be displayed in the mobile devices using WAP enabled browsers. WAP

enabled mobile clients can interact with the mobile commerce services including mobile payment

services, hosted on the mobile commerce service layer. WAP clients are supported by majority of the

client devices and WAP gateway is required for converting the WML content to HTML content before

being posted to the application server (Web server) in the mobile commerce service layer. Majority of

the WAP sites are accessible from wide array of the mobile devices. As of now WAP based mobileservice is slowly declining, as more and more powerful mobile browsers are now being supported by

recent mobile devices.

Mobile HTTP client (http 5.0/ CSS 3.0)

Recent mobile devices and smartphones are enabled with micro browsers which are capable of

rendering many of the modern day web application content. Some of these micro browsers now

support client side computing (mobile ajax) and can successfull y render the complete web content

that is developed on http 5.0 / CSS 3.0 standards. The mobile commerce clients can be developed

on http 5.0/ CSS 3.0 specifica tion standards, just as any other standard web application. The server

side components of the web applications can invoke the services hosted on the mobile commerce

service layer.

Mobile Commerce Transaction Layer

The mobile commerce transaction layer of the solution comprises of mobile commerce key process

(workflows) layer and mobile commerce service layer. This layer can host a variety of required mobile

commerce and payment processing processes and services. The following diagram depicts a

representative set of mobile transaction services hosted in this layer.

Figure 14: Mobile Commerce Transaction Layer

Process and human workflow Layer

The process layer of the solution consis ts of key mobile commerce business processes that will

support the end-to-end processing of mobile transactions involving human workflows. The processes

(workflows) hosted in the process layer can be long lived processes or atomic short lived transac tion

processes. The human interfaces of these processes (which also termed as human workflow services)

can be implemented as mobile client applications, using which the end users will be interacting with

the mobile commerce process workflows.



23/40

Service Layer

In this layer, key mobile commerce services are created , composed and aggregated and are exposed

as services, which can be invoked by various consumers with supported service bindings. The

Basicall y, the services created in this layer include the business services, utili ty services, application

services that can facilitate the integration between internal applications as well as external sources.

The services in this layer are created as service compos ites compliant with SCA standards . The

services can also be accessed by the mobile presenation layer components over REST protocol, via a

"REST Adaptor" Components. The serv ice calls over REST protocol are likely to improve performance

in some scenarios.

Service Bus

The service bus hosts service end points fo r the mobile commerce services. The mobile client

applications as well as mobile business processes and any other service consumer clients can invoke

the service end points through the service bus. The service bus provides standard functionality such as

service routing, service mediation, service protocol transformation, service auditing and logging and

quality of service (QoS) features to the service end points.

Payment Messaging Authorizations, Settlements, and

Reconciliations.

The payment processing services, in the mobile transaction solution framework, can leverage to the

following types of payment integrations

1. Payment gateway service provider integration Any third party payment gateway service

providers are directly integrated from the mobile transaction processing solution framework. Such

integrations are developed with multiple integration protocols such as web services, TCP/IP socket

interfaces, secured file transfers, secured message transfers , depending upon the integration

support provided by the service provider. The messages exchanged through such gateway service

providers are usually customized in nature, as per the specifications determined by the service

provider.

2.Authorization and verification integrations (with acquirer or payment authorisation service

provider) In this mode of integration, the mobile transaction framework directly integrates with

relevant acquirer or card authorizsation service provider, for securing the authorizations (pre, post

and partial authorizations) , payment reversals, and also relevant card holder verifications, for card

based transactions. The authorization and verification messages exchanged are usually ISO8583

compliant, supporting the required authorization cycles.

Figure 15: Payment Messaging Interfaces



24/40

3. Settlement integrations with settlement service providers These are the interfaces with

payment settlement services providers , to ensure timely settlements of conducted payment

transactions. The settlement integra tions are usually implemented as asynchronous secure file

exchange (SFTP, SSH) based interfaces. The settlement files are created as per the settlement file

specificat ions, such as apacs29b formats.

4.Authorisation and settlement interfaces with mobile wallet service providers These are

the interfaces between the mobile transaction solution framework and relevant mobile wallet service

providers to authorize and settle the mobile wallet account based transactions. Such interfaces are

usually implemented as real time sync integrations, but can be also implemented in batch mode,

depending upon the arrangements with the involved mobile wallet service providers. The messages

exchanged with the mobile wallet service providers are usually proprietary in nature.

5. Reconciliation Interfaces These are various interfaces developed in the mobile transaction

solution framework, to facilitate payment transaction reconciliations between various participants

involved in the payment eco system. Such participants may include merchant locations, reta ilers

POS locations, payment authorization service providers, payment settlement service providers,

issuer banks, acquirer banks and any associated card network service providers.

ISO8583 Message interfaces The payment interfaces between mobile transaction solutionframework and various associated payment authorisat ion service providers are based on ISO 8583

messaging standards. The key message types of ISO8583 messages, exchanged between the MPTS

frameworks and respective payment authorisation service providers, are depicted in the diagram

below.

Payment Gateway Integrations

Payment gateways provide market specific payment authorization and settlement services, supporting

multiple types of card based payment processing, such as debit cards, credit cards, visa, master card

and euro pay cards. The mobile transaction process ing framework includes the integration services for

external payment gateways. Based on the nature of the payment transaction, card type and geography,

respective payment processing gateway services are integrated with. Usually, the payment gateways

can be integrated over https (secured SSL) using soap as well as name value pair based payment

interfaces.

Telco Operator Integrations

Telco operators including both network operators and mobile service providers are integral and most

important participants in the mobile commerce ecosystem. The mobile transaction processing solution

framework requires extensive integration with concerned Telco operators, depending upon the nature

Figure 16: ISO 8583 Payment Messaging



25/40

of the mobile transactions involved. In this section, we briefly look into various integration scenarios

that are required to be supported as a part of the transaction processing solution.

SMS Integration

SMS messages constit ute a key part of the mobile transaction processing model, they are widely used

to implement asynchronous com-munication pattern with the end users. From the transaction

processing laye r, the inbound and outbound messages are usually received and sent by a SMS gatewaywhich is generall y located in the Telco operator s premises. But in orde r to support multiple Telco

operator messages, an SMS gateway can also be hosted within the mobile transaction processing

service providers domain. Basicall y, SMS gateway server acts as an interface between the end user

and the processing server. The inbound SMS messages are received by the SMS gateway and stored in

a database, from where such messages are read by transaction processing layer. The outbound SMS

messages are written into a data base table from the where the SMS gateway sends the messages to

the end users. A pictorial representation of SMS gateway is shown in the figure above.

USSD Integration

USSD (unstructured supplementary service data) is another communication mechanism mechanismsupported by many Telco operators. Using USSD command, the end mobile devices can send and

receive messages with USSD servers hosted in the Telco operator domain. Such USSD commands are

used as a part of the mobile commerce transaction flow, to implement certain part of the overall

transactions . The USSD messages can be sent and received by interfacing with a USSD gateway which

is usually hosted in the Telco operators domain. Mobile transact ion processing services can send and

receive such USSD messages using XML interface via USSD gateway. The following diagram depicts

the flow of USSD integration.

Figure 18 Mobile Commerce USSD Message Integration:

Figure 17: Mobile Commerce SMS Integration



26/40

WAP/ WML Content Integration

WAP is one of the mobile communication standards, us ing which mobile devices, through WAP

browsers can access WAP enabled information content. The WAP browsers are able to recognize the

WML content over wireless and display the content on the mobile devices. The WAP technology is

leveraged to enable a veriety of mobile commerce transactions which are hosted through WAP enabled

sites. The WAP content (through WML) is sent and received through a WAP gateway usually hosted in

the Telco operators domain. The WAP gateway serves as an exchange/transformer for converting WAP

(WML / XHTML wap 2.0) to Http/HTTPS (HTML) content between the WAP gateway and the web server

hosted in the mobile transaction process ing service providers domain. The following diagram depicts

the flow of WAP Gateway integration from the web server.

Figure 19: Mobile Commerce WAP Content Integration

B2B Mobile Commerce Content Integrations

The mobile commerce transaction processing framework supports integra tion of multiple partner

hosted mobile content services, which are offered to the end users as a part of the mobile commerce

business model. The users wil l be able browse and shop these services that are listed in mobile

commerce content catalog. For example, use rs will be able to browse the music services, to buy and

download interested songs. The mobile transaction process ing solution framework enables the

integration of such externally provisioned content services, through its service layer, using services

bus components. Subsequently , such external services are further invoked by various aggregation

services hosted in the service layer, or in some cases direc tly by the mobile commerce client

applications . The following diagram depicts the external mobile commerce content integration

scenario.

Figure 20: Partner Mobile Commerce Content Integration



27/40

Back Office Integrations

The mobile commerce solution framework is devised to integrate with key back office applications ,

such as financial accounting, HR, admin, MIS and analytical applications in the organization. The

transaction records are further fed into the enterprise applications, which in turn process those mobile

transaction records as per business need and requirements. Upon creation and modifi cation of a

mobile transaction records in the framework, respective record events (along with record details) are

generated and written in to subscribed message queues. Subsequently the transaction records readfrom those queues and updated to respective enterpri se applications such as SAP, ORACLE EBS,

Reporting and MIS etc. The following diagram depicts the back office integration scenario, supported

in the solution.

Figure 21: Mobile transactions - Back Office processing

Business Intelligence

The business intelligence functionality is an essential part of the mobile commerce transaction

processing solution, and this subsystem is devised to provide complete insight into operational andanalytical reporting on mobile commerce transactions conducted through the framework. Whenever a

mobile transaction record is created or modified, an associated business intelli gence event is

generated (consisting of records details) and is written to subscribed business intelligence message

queues. The day-to-day transaction records, from the mobile commerce transaction BI queues are

extracted, by ETL processes to load into the mobile commerce staging, ODS, and SW data sources.

The purpose built mobile commerce specific business intelli gence data mart is populated with the

data extracted and aggregated from the ODS and EDW data stores. The mobile commerce analyt ical

and operational reports are generated against ODS and Mobile commerce data marts and are

provisioned through a dedicated reporting dashboard . The following diagram depicts the data

extraction flows for business intelligence.

Figure 22: Mobile Commerce - Business Analytics



28/40

Business Activity Monitoring

The business activity monitoring services in the mobile transaction solution framework provides the

visibili ty on the key performance indicators of the executed mobile commerce transaction processes

and services in the run time. The business activity monitoring services provide a complete dashboard

that can provide full visibil ity on the performance of deployed mobile commerce processes and

services. When the mobile commerce serv ice layer is implemented and is enabled for the BAM

reporting, the out of the box BAM reports and dashboard can provide end-to-end visibility on the KPIs

of the deployed mobile transaction services.

Mobile Commerce Payment Security

Security is an important and integral part of the mobile commerce transaction processing model and is

very critical to achieve required regulatory compliance for the regulatory standards such as PCI-DSS,

DPA, SOX etc. The mobile payment security scope, at the minimum, includes authentication,

encryption/decryption, authorization and non repudiation (digital signatures) aspects associated with

mobile transactions .

In the context, mobile commerce transactions which inherently involve payment transac tions, its

extremely critical that the solution is PCI-DSS compliant, in all its services and functional paths. The

mobile transaction processing solution framework ensures end-to-end security of the sensitive data

(PAN and sensitive authentication data SAD) using strong encryption across all paths of the

transactions. The poin t to point encryption practice is known to reduce the scope of PCI-DSS

assessment and hence P2PE encryption practices are widely being used for securing the card holder

data (CHD) during transmission .

Encryption functions in mobile devices (NFC clients) ensure that the card holders data (CHD) and any

other sensitive data is encrypted at the point of entry itself using strong encryption algorithms (SSL V3)

and high strength public keys. The corresponding decryption functions are located at destination

points, where the ciphertext (unreadable) content is decrypted using private key components. Public

and private keys (Asymmetric encryption) are securely managed through key management solutions,

which will ensure key generation, secure key distribution to encryption and decryption points.

Content Encryption or message level security

The symmetric key based encryption technologies such as DES, 3DES (Triple data encryption security),

blowfish and DUKPT (derived unique key per transaction) are used to encrypt the content (to provide

message level securi ty) from source point to destination point (decryption point). A symmetric key is a

common secret key used for encrypting and decrypting the content and hence such a key needs to be

managed securely. Externa l encryption apis or inbuilt apis (windows mobi le edition) can be used to

implement 3DES encryptions. In order to provide add itional security for the common symmetric key,

DUKPT mechanism can be used, which will provide a unique key (from the master key) to encrypt each

and every transaction.

Transport Layer Security

The following section describes how various paths in the mobile transaction processing are secured

with transport layer security protocols (SSL/TLS).

1. Mobile Devices to Telecom Operator HTTPS/ SSL, WTLS -

a. The communication between J2ME mobile clients and telecom operator is encrypted using

HTTPS/SSL which is PCI-compliant.



29/40

b. When WAP sites and WAP clients are used, the communication between WAP browser and

Telcos WAP gateway is secured through WTLS (Wireless transport layer security) protocol.

Figure 23: Mobile Transaction Processing: End-to-End Security

The encrypted card holder data (CHD) is passed to the mobile commerce transaction service providers

where the same data is decrypted (using private keys) and further processed for authorizat ions.

2. Telco Operator to Internet HTTPS/ SSL The communication segment between Telco operators

network and the connected internet is secured through HTTPS/SSL. The Telco operator network is

connected either with secured VPN or with dedicated secured leased lines which are secured

through SSL encryp-tion.

3. Internet to Mobile transaction providers Intranet HTTPS/SSL. The communication in this segment

of the network is secured through HTTPS/SSL.

4. Mobile Transaction Processor and Mobile Commerce Content Provider HTTPS/SSL. The

communications between the service layer of the solution and the respective external mobile

commerce content provider is secured through HTTPS/SSL encryption.

5. Mobile Transaction Processor and Payment Gateway Service Provider HTTPS/SSL. The

communication path between the mobile transaction processing platform and the respective

payment gateway service providers is secured through HTTPS/SSL.

6. Transmission of card holder data over the entire network (public network) is encrypted using strong

cryptography and security protocols such as SSL v3/TLS for https, SSL/IPSEC for VPN, SSH for

file transfers.

The solution framework is devised not to hold or store any customers credit card data during

transaction processing; no credit card information is stored during the entire course of mobile

transaction processing in the framework. Any personally identif iable information (PII) stored in the

solution, will be encrypted during storage. The tokenized CHD (PAN) da ta is stored in the system after

authorization.



30/40

PCI DSS compliance for wireless networks The PCI-DSS 2.0 guidelines for wireless networks

(WLANS Bluetooth or Wi-Fi) stipulate a definitive set of requirements for wireless networks. All the

WLANs connected to the mobile transaction processing framework run time environment, are required

to be secured as per the PCI-DSS requirements. The WLANS are subjected to physical and logical

inspections (planned) and are also tested through regularly planned wireless vulnerability scanning

tasks. The firewall are configured to identify the authorized wireless traffic (if any) and block any

unauthorized wireless traffic entering in to the core processing zone, the servers in which may hold the

customer sensitive data including card data. Any WI-FI WLAN connected to the run time environment is

required to adhere to enterprise mode WPA/ WPA (WI-F I Protected Access) 2.0 authentications and is

required to employ AES (Advanced Encryption Standard) encryption standards for wireless encryption.

Tokenization and End-to-End Security for PA-DSS Compliance

Tokenization approaches, are used to protect the sensitive card and PII data during payment

processing and subsequent storage of payment related data storage. PA-DSS (along with PCI-DSS)

compliance framework , necessitates the need for end to end encryption of card, pin and other

personally identif iable data of the customers, during the entire path of payment transaction processing.

The following diagram briefly depicts on tokenization flows used in the context payment processing.

The encrypted credit/debi t or wallet account data from the mobile client application is passed to themobile commerce transaction processor, where the credit/debit or wallet account data is tokenized

using tokenization services and actual card or wallet account data is used for authorizations and

tokenized card/wal let (not actual card details) data is stored in the transaction store. For all

subsequent processing including reporting, analytics , POS services etc, the tokenized data is used.

Tokenization approach reduces the effort required to manage the PCI-DSS compliance requirements,

by reducing the places where the actual card/wallet and any other PII data is stored.

NFC- Based Mobile Commerce Payments

Near field communication (NFC) is another short distance radio communication technology , enabling

communication between two devices when they are in the close vicinity of each other (4 cms). Thistechnology is being increasingly considered to be used in the contactless payment processing models.

In context of mobile payment processing , an NFC enabled mobile device can interact with an NFC

enabled Point of sales (POS) device and engage in performing payment functions through NFC

connectivity. The NFC implementation leverages to ISO/IEC 14443 standards for NFC card reader

(PCD) and NFC device (NFC cli ent - PICC) communications. In order to complete a mobile commerce

transaction, it is essen tial that the mobile devices and POS equipments are both NFC enabled. There

Figure 24: Tokenization Flows in Context Payment Processing



31/40

are different scenarios , as to how the NFC enabled mobile devices can be used to perform payment

operations in the context of an overall mobile commerce transaction. The following section briefly

discusses different NFC technology based mobile payment transaction scenarios.

NFC Card Based Payment Processing

In this payment transaction scenario, an NFC enabled mobile device is used to make card based (credit

or debit) payments with an associated NFC enabled POS device. In this scenario, the actual card

details along with the pin details are stored in the mobile device NFC control ler (like an NFC enabled

smartcard). When a commerce transact ion is completed in an NFC enabled POS, the subsequent

payments can be made by a NFC mobile device, by bringing into the contact of the concerned NFC

POS. On close contact, the bill details are passed to mobile device, users will be able see the bill and

press required button to make the payments, the card details along with pin are passed to NFC enabled

POS, which will further process the card details to complete the payment transac tion. The payment

Figure 25: NFC - Card based Payment Processing

transaction between the NFC Pos and payment gateway service provider will continue as it is done in a

normal payment scenario. Upon completion of payment processing, the NFC POS sends a payment

confirmation message to NFC mobile device, and the overall mobile transaction is closed.

NFC Mobile Wallet Processing

In this scenario an NFC enabled mobile devices is used to make payments with NFC enabled POS,

using users mobile M-Wallet accoun t. Mobile users, instead of using credit cards, use their M-wallet

account to make the payments. The NFC enabled POS will present the bill to the users, who will accept

Figure 26: NFC - Mobile Wallet Processing



32/40

the same to make payments, sending M-Wallet account details to NFC POS, which will further interact

with users M-wallet account service prov ider, for closing the payment transaction. Upon successful

payment processing NFC-POS will send a confirmation message to the mobile device and then the

overall transaction is closed.

NFC Sales and Marketing Content Model

NFC technology is widely being considered as sales and marketing channel, where in appropriate

tailored, sales coupons, marketing campaigns are pushed to the users NFC enabled mobile devices

whenever such device come in the close vicinity of an NFC enabled marketing server, in a shopping or

any such commercial environment. Such sales and marketing campaigns will appear in the NFC mobile

devices, giving the users with informed options to make their commercial decisions and transactions.

The NFC enabled mobile devices are offered with sales and discount coupons (as a part of marketing

initiatives ) from their mobile operators. Such coupons can be directly used during the mobile

commerce transactions, with an NFC enabled POS.

Figure 27: NFC - Sales and Marketing Content Model



33/40

Application Architecture Mobile Transaction

Processing

The service layer of the mobile transaction processing solution framework is primary built on service

oriented architecture principles, where in the key components of the service layers are designed and

developed with service component architecture (SCA) standards.

Service End Points: The end services, which are either internal services (created within the

organization) or various external services provisioned by business partners, are hosted on the service

bus through appropriate service bus implementations . The service bus implementation depends upon

the chosen service bus product. These service end points can be directly linked to the service bus or

invoked through dynamic binding using a service registry, depend ing upon the nature of the SOA

implementation in an organization.

Service bus layer: The service bus layer exposes the service endpoints to the consuming clients,

which could be either BPEL components or direct end mobile clients. The service bus layer can support

service composition and service routing patterns, which can be used to assemble the services and

expose them through service bus. The service bus layer implementation depends upon the chosen

service bus product.

BPEL layer: The BPEL layer is implemented with BPEL components (SCA architecture) to create

composite services in the mobile transaction framework. The BPEL components are exposed through

multiple bindings (SOAP/HTTPS, SOAP/REST, TCP, FTP, XML etc) through which mobile clients can

invoke these services. In some implementations, in order to improve the performance, the BPEL soap

services are interfaced with REST adapters, which will expose those services as REST services.

Client layer The mobile client components in the solution are implemented using multiple

technologies (depend ing upon the mobile device and OS compatibility) as a J2ME clients, JSP/WML

(WAP) enabled clients (WAP enabled sites), USSD clients, SMS clients etc.

Figure 28: Application Architecture of Mobile Transaction Processing



34/40

Deployment Architecture - Indicative

The functional and non functional requirements of mobile commerce business model, determine the

production run time deployment architecture. The service factors such as availability, performance,

security, auditing, scalability, business continuity and disaster recovery will have an important

influence on the deployment architecture of the mobile transaction processing solution. The network

infrastructure is one of the key components of production envi ronment to which the solution isdeployed. The network connectivi ty depends on the partner network (payment gateways, telco

operators, FIs, payment service networks etc) which needs to be integrated in the context of the

mobile transaction processing. The security and compliance requirements (PCI DSS) are also major

factors determining the target deployment architecture. The diagram below depicts indicative

architecture for high availability deployment.

The following are the salient features of the target deployment architecture

1. All incoming and outgoing traffic is secured through first level IP firewall, with NAT based firewall

rules.

2. Incoming traffic is distributed to web server cluster, by a load balancer pair which also acts as an

SSL termination appliance.

3. Web server cluster routes service requests to the application server cluster located in the core

zone, through a highly available load balancer cluster which will distribute the load on to the

application server cluster. The service composite applications for mobile transaction processing

Figure 29: Mobile Transaction Processing Solution - Deployments



35/40

are deployed into the application server runtime environments for BPEL, ESB and Adapters engines .

4. The database server cluster is located in the core zone, separated from application servers with

dedicated and secured VLANs.

5. All the personally identifiable data in the database is encrypted at storage.

6. Business continuity and disaster recovery requirements (RTOS, RPOs) are met with a stand by DR

center, which is constantly updated with a SAN level replication.

7. The file transfers in the system (for settlement and for internal and external integrations) are

carried through secured SSH or SFTP channels.

8. The external partners (telcos, FIs, payment gateway service providers) and external services are

connected through dedicated leased lines and secured VPN internet connections depending upon

the nature of the connection required.

9. Primary and secondary data centers are deployed with appropriate levels of intrusion detection,

audit change management systems, to securely monitor the hosting infrastructure.

10. All servers in primary and secondary data centers are secured through virus protection software.

11. The infrastructure elements in the primary and secondary data centers are constantly monitored,

through a well defined monitoring system.

12. The access and authorization to all infrastructure resources are controlled.

13. The deployment environment is inspected by regularly planned system vulnerabili ty scanning tasks,

to identify and address any internal and external security threats.

14. Any wireless lans (WLANS wifi or Bluetooth) associated with the deployment environments are

assessed as per the PCI-DSS 2.0 requirements for wireless payment networks.

15. The firewall rules are configured to filter out / block any unauthorized wireless traffic entering in to

core processing zones.

The network and communication infrastructure is an important and critical part of a mobile transaction

and payment processing infrastructure. Secured and highly available network communications, between

various participants in the ecosystem are necessary to ensure high quality end-to-end mobile transaction

processing. The fol lowing types of network connectivity links are required to build a network

infrastructure that can support a mobile transaction and payment processing services:

1. Network communication link between mobile transaction processor and telco (mobile network

operators) service providers.

2. Network connectivity between the mobile clients and mobile transaction service providers (though

MNOs).

3. Network connectivity between mobile transaction and payment processing service providers and

various payment gateway services providers , acquirers, and any third party aggregators, as

required for payment authorizations and settlements.

4. Network connectivity between the organizations data center and any externally located mobile

transaction service providers.

Network Connectivity



36/40

5. Network connectivity between primary and secondary data centers hosting

mobile transaction payment processing

Documents