mobile transaction payment processing
TRANSCRIPT
-
7/29/2019 Mobile Transaction Payment Processing
1/40
W h i t P
Mobile Transactions andPayment Processing
Ashok Goudar
Senior Enterprise Architect
-
7/29/2019 Mobile Transaction Payment Processing
2/40
Introduction 4
Mobile Commerce Business Context 5
Mobile Commerce Strategy 6
Mobile Channel Strategy 7
Mobile Marketing 7
Mobile Sales 8
Mobile Service 8
Mobile Payment 9
Mobile Wallets 9
Mobile Commerce Transaction 10
Mobile Banking and Mobile Money 10
Mobile Commerce Transformation Roadmap 11
Mobile Commerce Payment Business Scenarios 11
Card based Mobile User to Business Payments (CM2B) 11
Mobile Wallet User to Business Payments (M2B) 12
Mobile Wallet Mobile Users to Mobile User Payments (M2M) Remittance Services 13
Mobile Wallet CrossBorderM2M 14
Mobile Wallet Cross Border M2Account. 15
Mobile Commerce Payment Processing Models 16
Card based Mobile Payments 16
Direct Card Based Mobile Payments 16
Indirect Card Based Mobile Payments 16
Cardless Mobile Payments 16
M-Wallet Mobile Account Based Payments 16
Contactless Mobile Payments 17
Sync and Async Payment Transactions 17
Mobile Commerce Solution Architecture 18
Mobile Commerce Transaction Scope - flows 18
Mobile Client Presentation Layer 19
Mobile Commerce Transaction Layer 22
Contents
-
7/29/2019 Mobile Transaction Payment Processing
3/40
Payment Messaging Authorisations, Settlements and Reconciliations. 23
Payment Gateway Integrations 24
Telco Operator Integrations 24
SMS Integration 25
USSD Integration 25
WAP/ WML Content Integration 26
B2B Mobile Commerce Content Integrations 26
Back Office Integrations 27
Business Intelligence 27
Business Activity Monitoring 28
Mobile Commerce Payment Security 28
Tokenisation and End to End Security for PA-DSS compliance 30
NFC- Based Mobile Commerce Payments 30
NFC Card Based Payment Processing 31
NFC Mobile Wallet Processing 31
NFC Sales and Marketing Content Model 32
Application Architecture Mobile Transaction Processing 33
Deployment Architecture - Indicative 34
Network Connectivity 35
Conclusions 38
-
7/29/2019 Mobile Transaction Payment Processing
4/40
Usage of mobile devices to conduct day-to-day
communications, collaborations and business transactions,
is growing exponentia lly. More and more users are opting for
mobile channels, as part of their daily routines, to manage
various aspects of their both business and personalactivities. Business organizations have recognized this
significant shift in their customer choices and preferences,
which indicates the constant increase in customer affinity
for mobile based transactions. At the same time, mobile
technology itself has undergone tremendous levels of
innovations and evolutions, resulting in more and more
powerful mobile devices and communication channels being
made available, that are capable of handling a variety of
practica l communication and business transactions. In the
recent past, the computing power and network bandwidth of
mobile devices and mobile communication channels have
Introduction
advanced to such an extent that the difference between mobile and desktop computing is
drastica lly diminishing. Many business organizations , across all industry sectors, have quickly
identified the emergence of business grade mobile technology and have strategically adopted
mobile channel as one of their key eCommerce business channel to conduct their sales, service,
and marketing operations and business processes, relating to their mobile commerce business
models. As mobile technology is growing, so is the payment techno logy, which now enables
end-to-end payment processing in context of associated business (sales) transactions, making it
possible to conduct an entire business transaction along with associated end-to-end payment
processing, over the mobile channels, offering enormous flexibility to customers, as to how,
where, and when they can initiate their business transactions in real time. The payment
processing industry, keeping in line with the potential and constantly increasing growth of themobile commerce, has floated a variety of mobile payment processing solutions and models, that
can be leveraged to relevant mobile communication services such as GPRS, USSD, NFC, Wi-Fi,
Bluetooth, SMS, WAP etc. The increase in wireless bandwidth and highly available mobile network
infrastructure backbone provided by various mobile network operators , have further increased
the stability, reliab ility, and quality of service in wireless mobile transactions, making the mobile
channel more and more reliable for business critical mobile commerce models. Keeping with the
growth in the mobile communication techno logy, the software vendors, service providers and
industry forums, have been offering newer and enhanced mobile operating systems (Windows
mobile 7.0, Android OS, Symbian, Blackberry OS, Apple IOs4 etc), APIs (J2ME, Window 7 mobile
SDK, Android SDK etc), development tools (along with emulators) and technology standards for
mobile computing, making it possible to develop and host a variety of mobile transaction
processing solutions for mobile commerce. In this context, this paper further discusses solution
architecture of a target mobile transact ion and payment processing framework for mobile
commerce transact ion processing. The paper also briefly touches upon various mobile commerce
business models and solution architecture for business scenarios (conducted on different mobile
communication technologies ), that are addressed by the target mobile transaction and payment
processing solution framework.
I Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
5/40
Mobile Commerce Business Context
Mobile commerce is not only an extension of an eCommerce business model but also an innovative
commerce model, where in a variety of commerce transactions are conducted over mobile channels. In
mobile commerce, many business organizations, in addition to traditionally established channels (field
sales, branch offices , front offices, web channel etc) use mobile channels to conduct their business
operations in sales, service, and marketing areas.
A typical mobi le commerce ecosystem, in addition to end-customers, comprises of mult ip le
participants including business organizations, retailers, telecom network service providers, mobile
transaction processing service providers , payment gateway service providers, acquirers ,
intermediaries , issuer banks, and a variety of settlement service providers .
In a mobile commerce business model, end users will be able to buy the products and services from the
merchants (or business organizations) and make payments for services and products through their
mobile devices. The services and products are either directly delivered to the customers through their
mobile devices (if they are content based serv ices) or else shipped to their addresses through shipment
and fulfilment processes. As part of the mobile commerce model, users will be able make the payment
in a variety of ways over the mobile channels, either using their credit/debit cards or through cardless
Figure 1: Mobile Commerce Transaction Processing Context
Mobile Transactions and Payment Processing White PapeI
-
7/29/2019 Mobile Transaction Payment Processing
6/40
(contactless ) payment mechanisms through their mobile wallet accounts.
The mobile commerce services (products and saleable services) are presented to the customers either
directly through the mobile channel or through other channels (mediums) depending upon the nature of
the services sold. Once the business transaction is completed, the users can make payments directly
through their mobile devices. One of the key aspects of mobile commerce model is that, the services
and products are offered to the customer through mobile friendly commerce transaction services ,
through mobile channels, which can enable the users to make their purchases directly through their
mobile devices. Mobile commerce can provide great flexibi lity to the end users in the way, in which
they conduct their purchasing operations.
A well formulated mobile commerce business transformation strategy is essential to achieve the mobi le
commerce (m-business) business goals. Typically in many organizations across industry verticals , the
mobile commerce model is seen as an augmentation or an extension to the existing brick-mortar, e-
commerce and e-business models, taking the business services to the consumers over mobile
channels. In some other small and medium business organizations and start-ups, the mobile commerce
model could be the main business service model, which will enable those organizations to reach theircustomers, effectively through mobile channels. Due to the shifting habits of the consumers and
flexibili ty associated with mobile enabled business interactions , the mobile commerce model is taking a
prominent place in the business strategies of many organizations. A mobile commerce strategy defines
the outlook of the proposed mobile commerce model (in other words m-business model), across key
aspects of the mobile commerce business model. The scope of the strategy for mobile commerce
includes the following:
Mobile Commerce Strategy
Figure 2: Mobile Commerce Strategy Transformations
I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
7/40
Mobile Channel Strategy
Mobile channels play a critical role in successful acceptance and adoption of mobile commerce, mobile
payment, and mobile banking solutions. The technology of the mobile devices, users knowledge on the
mobile technology, users familiarity, and comfort with mobile channels, will impact the levels of
adoption of mobile business models. The following are the key mobile channels, through which target
mobile services are delivered to the consumers.
SMS Channels SMS messages are widely supported by wide array of basic as well as most
advanced mobile devices, and majority of the customers (both educated and uneducated) can use SMS
messages to conduct mobile transactions through their phones. However the costs associated with
SMS channel based mobile transaction processing can be relatively higher compared to other mobile
channels. Also the mobile transaction security with SMS channels can pose few challenges from
regulatory compliance perspect ive. In certain geographies, the SMS channel is the only viable channel
that can reach large number of mass mobile users. The SMS channel strategies eva luates the pros and
cons of SMS channel with respect to the business model and formulates a solution strategy that can
leverage to SMS messages.
USSD Channel This is a more secured channel compared to the SMS channels, requiring higher
levels of Telcos participation (USSD gateway service provider) in the mobile transaction model. USSDchannel is supported by a wide range of mobile devices; however the USSD command model itself
differs from one Telco carrier to another Telco carrier, resulting in higher levels solution implementation
costs. As with SMS texts, USSD mobile commands are relatively easy to use and hence can appeal to a
wide range of customers. The strategy for USSD channel, dete rmines how, where, and when the USSD
based mobile commerce solution can adopted to realize the underlying mobile commerce business
models.
Mobile Browser Channel (mobile optimized and WAP sites) The mobile device resident mobile
browser is used to access the mobile customized WAP or web applicat ions, with which customers can
engage in various types of mobile business transactions. This channel can be widely used by educated
users (technicall y savvy) and at the same time many uneducated or under-educated customers may
find this channel diffi cult to use. This channel is relatively easier to adopt, since the existing web
channels and web applications can be quickly customized for mobile devices.
Mobile Application Channel In this channel, the mobile device specific (APIs, OS) mobile
applications are used to conduct the mobile transactions. The mobile applications are device specif ic
and are OS specific, and usually prov ide rich user interfaces for the mobile devices . The cost
associated with mobile application channel is relatively high, as the applications needs to be developed
to a specific set of devices and also the customer coverage is some what restric ted to those specific
devices, upon which the specific mobile applications can run. The rich user interfaces and secured
transaction processing capabilities offered by application APIs, can be very useful to bring tailored
mobile solutions to target customers.
NFC and contactless mobile channel This channel is supported on NFC enabled mobile devices,and can be used to realize contactless mobile based business transactions, such as mobile marketing,
mobile payments, and various types of mobile promotions, including location based services. In case of
payment processing, the NFC channe l also requires NFC enabled POS devices at the merchant
locations. This is one of the key an emerging mobile channels that needs to be considered while
defining an organizat ions mobile commerce business strategies.
Mobile Marketing
Mobile marketing is a business strategy as to how, where, and when the marketing services can
leverage to mobile channels to achieve maximum marketing effectiveness. Effective mobile marketing
strategies include the following:
Mobile Transactions and Payment Processing White PapeI
-
7/29/2019 Mobile Transaction Payment Processing
8/40
Mobile Campaigns Campaigns targeted to selected customer segments over mobile channels.
In-Store Promotions Promotional campaigns aimed at customers when they are within a store,
offering discounts through mobile channels.
Location Based Services Services, promotions, and coupons etc offered, based on the
customers current location. Such campaigns can influence customer buying habits.
Coupon Offerings Coupons and discounts offered through mobile channels. The mobile
commerce strategy will also ensure mobile based coupon redemptions during point sale
transactions.
Mobile Barcode Campaigns A marketing strategy where the mobile bar codes are used for
product and service promotions. User devices, when they scan the mobile barcode, will receive the
mobile content often consisting of product details, promotions, discounts, vouchers, and coupons.
Mobile Personalization Tailored marketing campaigns over mobile channels , which are based on
users profile, preferences, habit s, and affinities.
Mobile Sales
Mobile sales stra tegy for various products and services , to be sold either directly over the mobile
channels or through the support of mobile channels with other sales channels. A mobile sales strategy
can include the following:
Mobile point of sales strategy How the potential end users can use their mobile devices to
make purchases at the point of sales locations .
Mobile catalog services How the products and services can be presented to the customers
through mobile customized product and service catalogs.
Mobile coupon redemptions How, where, and when user can use their coupons, discounts in the
context of their purchases over mobile channels.
Mobile optimized commerce sites How the commerce websites can be optimized and delive red
to the customers over mobile channels.
Cross and up-selling models How mobile channels can be used to increase revenues through
cross selling and up-selling models.
Event and geography location based selling How event and users location based sales can
be increased over mobile channels.
Mobile Service
A mobi le service strategy addresses the service model that needs to be adopted in the context of
mobile channel enabled business models. A service strategy for a mobile commerce business model
includes the following:
Fulfi llments Strategy for post sales deli very and shipments of the products and services sold over
mobile channels.
Returns Strategies for handling post sales return for the products and services sold over mobile
channels. This will include processing of payment returns.
Inventory Management Deals with the inventory management of a mobile commerce business
model.
I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
9/40
Contact and Call Centers Post sales help and call centers for the customers .
Mobile Payment
This is a mobile strategy for accepting and process ing of payments over the mobile channels, in the
context of mobile commerce sales transactions. The mobile payment strategies can include:
Card based mobile payments How the mobile commerce business model and strategy supportscard based payment acceptance . The card based payment strategy outlines the model for supported
cards types, geography based payment gateway services, and cross border card based payments
over mobile channels.
Contactless card based mobile payments Deals with the contactless card based mobile
payments using mobile devices (with NFC technology).
Cardless mobile payments Include the strategies for accepting the payments through cardless
payment models such as mobile wallets.
Carrier Bill ing A mode of payment strategy where in the mobile sales transactions are charged
against the user carrier billing , which are paid by the users either with pre-paid or post-paidcontracts.
Mobile Wallets
A mobi le wal let based payment strategy deals with how, where and when the payments, can be
accepted and processed using the users mobile wallet accounts. The strategy also defines how the
mobile wallet accounts are integrated with the commerce transac tions to process the associated
transaction payments. The mobile wallet payment options include the following:
Prepaid Here the users top up their mobile wallet accounts upfront and such mobile wallet
accounts are used to make the payments in context of the mobile sales transactions.
Post-paid In this case , a users mobile wallet account is linked to his or her carrier bi lling
account. The mobile sales transactions are paid with the users mobile wallet account, which in turn
is charged to the associated mobile bill ing account that is usually paid on a monthly or quarterly
basis.
Card linked mobile wallets In this mobile wallet strategy, the mobile wallet accounts are linked
to users debit or credit cards. In a mobile sales transaction, with card linked mobile wallet payment,
the final payment is made from the wallet account that is linked to users cards.
Carrier hosted Wallet Service In this wallet payment strategy, the wallet services are primarily
provisioned by a carrier (telecom network operator or mobile service provider), in partnership with
participating banks and financial institutions to link mobile wallets with users card services. The
payment settlements are done between the carrier and participating financial institutions . Thecarrier alone maintains the mobile users wallet accounts and provides complete mobile payment
transaction support.
Financial institution hosted wallet service In this strategy, the mobile walle t services are
hosted by financial institutions (such as payment service providers , and payment network service
providers, banks ) in partnership with related Telco or carrier service providers. The FIs will maintain
the users mobile wallet accounts in relation with their card accounts. In such a model , the telco
(carriers) will be mainta ining the user mobile accounts and will be participating in the mobile
payment transaction.
Mobile Transactions and Payment Processing White PapeI
-
7/29/2019 Mobile Transaction Payment Processing
10/40
Business hosted mobile wallet service In this strategy, the mobile wallet services are hosted
by an independent mobile payment transaction service provider(s) , along with the participation from
telecom carriers and financial institutions.
Mobile Commerce Transaction
This strategy defines the mobile transaction based business model in which various services both
internal and external (partner content serv ices) are offered to the customers. In this model, a variety of
industry specific mobile commerce transaction services are sold to the customers over mobile
channels and associated payments are also processed over mobile channels. It also formulates mobile
application strategy that can support various mobile commerce transactions. The mobile transaction
processing strategy further includes the following:
Content based mobile commerce transactions - In this model, the mobile device and channel
compliant content services such as music, games, videos, movies, gigs etc., are sold to the
customers using mobile channels and associated payments are processed either through card based
accounts or through wallet accounts including carrier billing models.
Mobile bill payment transactions This mobile commerce business model enables the end users
to make their bill payments (various types ) directly through their mobile devices , using their card
accounts or mobile wallet accounts.
Mobile ticketing services In this mobile commerce business strategy, various types of ticketing
services (movies, enterta inments, concerts, games, sporting events etc) are sold over the mobile
channels and payments for such sales transactions are processed with card accounts or with mobile
wallet accounts through mobile channels.
Travel booking services This business model offers various types travel (bus, air, train, taxi,
ships, ferries etc) and hotel related booking services are offered over mobile channels.
payments for such sales transactions are processed with card or mobile wallet accounts.
Industry specific mobile commerce transactions - These are the industry specifi c mobilecommerce business transaction models, where in industry specific services are sold to the
customers over the mobile channels. Such serv ices are very specific to the concerned industry such
as insurance, retails, telco, finance, government etc.
Mobile Banking and Mobile Money
The strategy for mobile banking and mobile money transfers, involves formulating the business models
and approaches to extend the banking services and money transfer facilities over mobile channels. A
mobile banking strategy aims at providing complete banking faciliti es to the customers through their
mobile devices. The following are the key flavours of this strategy:
Mobile retail banking This business strategy aims at bringing the key retail banking services
such as statements, balance enquiry, check deposits, money transfers, bil l payments, direct debits
etc to the customers over the mobile channels.
Mobile cheque deposits This business service allows the customers to make cheque deposits
remotely.
Mobile peer to peer payments Allows the users to make money transfers or payments direc tly
to one an other, using mobile channels, either using their mobi le wallet accounts or with their bank
accounts including card accounts.
Mobile money transfers Mobile enabled local and cross border money transfers can help many
customers to make money transfers easily from their mobile devices, either using their card/bank
0I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
11/40
accounts or through their mobile wallet accounts. This strategy defines the mobile enabled money
transfer business models and associa ted solutions. The cross border international money transfers can
involve multiple local and international participants including FIs, banks, and cross border settlement
solutions.
The mobile banking services can be provisioned through user chosen (compatible) mobile channels
such as text/sms, dedicated mobile application , and mobile customized web application sites that are
accessible through mobile hosted browsers.
Mobile Commerce Transformation Roadmap
A well planned mobile commerce transformat ion roadmap can help the organizat ions to real ize their
mobile commerce business goals and achieve their target mobile commerce business strategies. A
mobile commerce transformation roadmap in an organization depends upon business priori ties,
business sponsorships, and several internal and external dependencies . In a mobile commerce
business model, such a transformation can also depend upon technical feasibili ty and technology
options available. A mobile commerce transformation roadmap can differ from organization to
organization depending upon the current state of business and technology models, business priori ties,
and target markets. In general, in many organiza tions a typical mobile commerce journey starts with
mobile marketing services, and graduall y moving towards a complete set of mobile commerce business
model, offering full services over mobile channels . In some other organizations such as banking, the
priority would be mainly on customer reach and satisfact ion, which may put priority on mobile self
service models for payments and retail banking. Likewise, the transformation roadmap depends upon
multiple factors, and hence such a mobile transformation roadmap definition and planning needs to
take all influencing factors in to account. The following figure shows an indicative mobile commerce
transformation roadmap. It is important to note that there no one common transformation roadmap for
all mobile commerce initiati ves in different organizations. It may be noted that the key mobile
commerce initiative are not necessarily be taken in sequential manner, many times such initiati ves are
handled in parallel within the scope of an overall mobile commerce transformation programme for the
organization.
In the context of mobile commerce transactions, the usage of the mobile technology, in order to
facilitate flexible payment options, can be envisioned to support multiple mobile payment scenarios,
practically seen in a variety of day-to-day business operations.
In this section, based on the context of the mobile payments and the associated mobi le commerce
transactions, the following key mobile payment business scenarios are discussed .
Card based Mobile User to Business Payments (CM2B)
In this payment scenario, the mobile users make payments to the businesses or the merchants, through
their payment cards (credit, debi t, etc) through the mobile channel.
Mobile Commerce Payment Business
Scenarios
Figure 3: Mobile commerce - Payment business scenarios
Mobile Transactions and Payment Processing White PapeI
-
7/29/2019 Mobile Transaction Payment Processing
12/40
In this mode, the users actually conduct their mobile commerce transactions and make the payments
against the bills (invoices) genera ted, through their mobile devices, using their payment cards.
Following are the key steps performed in this scenario. (Depicted in Figure 4)
1. Users invoke the mobile commerce application from their devices.
2. Users are presented with the products and services along with their prices.
3. Users select products and services and add them to the shopping cart.
4. After verification of the bills, users perform checkout operation.
5. After checkout, user are presented with either a payment screen where users will enter their card
details and pin number (securely- login pins), to make the payments, or pre-stored payment card
details along with pin number are automatical ly taken for payments, based on user approvals .
6. The users payment details along with card details are passed to the respective payment service
provider (through mobile transaction service provider), for payment authorization and subsequent
settlement (payment is authorized against users account held in the issuer bank).
7. Upon authorization, the payment is either directly deposited merchant account or settled based on
pre-agreed settlement period, by the acquirer.
Mobile Wallet User to Business Payments (M2B)
In this scenario, the mobile users will directly use their mobile phones as wallets to make payments. In
this mode, there is no direct usage of the payment cards involved. The following are the key steps
performed in this scenario.
1. Users invoke the mobile commerce application from their device.
2. Users are presented with the products and content services along with their prices.
3. Users select products and services and add them to the shopping cart.
Figure 4: Card based Mobile User to Business
Figure 5: Mobile Wallet for Payments (M2B)
2I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
13/40
4. After verification of the bills (invoices) , users perform checkout operation.
5. After checkout, users are presented with a screen to enter their mobile wallet entry pin, to make the
payments.
6. Upon receipt of the wallet account pin, the users mobile SIM number or any such uniquely
identifiab le numbers (and any pre-stored wallet number) along with pin is propagated to mobile
wallet service provider through mobile transaction processing service provider. Upon authenticationand authorization of the user wallet credentia ls, the mobile wallet service provider makes the
payments to associated merchant account, through standard acquirer, payment gateway service
provider networks. The merchant account is depos ited with transaction amount based on the pre-
agreed settlement periods.
7. Payment confirmation is sent back to the mobile user.
8. Mobile transaction is closed.
Mobile Wallet Mobile Users to Mobile User Payments (M2M)
Remittance Services
This is a mobile wallet based peer-to-peer payment scenario; where in the mobile users can make
direct payments other mobile users through their m-wallet accounts. No card based payment is
involved in this scenario. The recipient (beneficiary) may either receive the payment into their m-wallet
account or into their back accounts, based on the payment instructions .
The following are the key steps involved in this type of payment scenar io:
1. User invokes a special purpose mobile commerce application for peer-to-peer payments, in their
device. This application facilitates payments either directly to the recipients (beneficiary) m-wallet
account or to the associated bank account.
2. User is prompted to enter the payment instruction details in the application including the peers
wallet or bank account identification details.
3. User is prompted for the m-wallet pin number.
4 Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet
service provider through the mobile transaction service provider.
5. Upon validation of the payment instructions along with users credential details, the following
payment deposit actions are performed:
a. If the recipients m-wallet details are provided, then the payments are made directly to the
recipients m-wallet account. Payment confirmation is sent back to the user.
Figure 6: Mobile Wallet M2M Remittance Services
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
14/40
b. If the recipients bank account details are provided, then the payments are made directly to the
recipients bank accounts, through settlement networks . Payment confirmation is sent back to
the user. Upon deposi ts into the recipients bank account, the recipient is notified o f the deposits
either through mobile channel or through other relevant channels which the recipient has opted
for.
6. Mobile transaction is closed.
Mobile Wallet Cross Border M2M
This is an international cross border mobile-to-mobile payment scenario, where in both payer and the
beneficiary use their m-wal let accounts during the payment transaction. I t is almost similar to the
previous scenario, except that in this scenario, there is an international cross border settlement
component involved.
The following are the key steps of this mobile payment scenario:
1. User invokes a special purpose mobile commerce application for peer-to-peer payments, in their
device. This application facilitates payments directly to the recipients m-wallet account.
2. User enters the payment instruction details in the application including the peers wallet details.
3. User is prompted for the m-wallet pin number.
4. Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet
service provider through the mobile transaction service provider.
5. Upon validation of the payment instructions along with users credential details, the following
payment deposit actions are performed:
a. The cross border settlement transaction is initiated between the m-wallet service providers bank
account and the recipients m-wallet service provider bank account .
b. Upon settlement, the recipients m-wallet service provider deposits the money into recipientswallet service account.
6. Payment confirmation message is sent back to the payment initiator.
Figure 7: Mobile - Wallet Cross Border M2M Services
4I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
15/40
Mobile Wallet Cross Border M2Account.
This is a slight va riant of the previous scenario, where in the payment trans fer is done to the recipients
bank account or the transferred amount is directly paid to the end recipient (beneficiary). The following
are the key steps on this scenario
1. User invokes a special purpose mobile commerce application for peer to peer payments, in their
device. This application fa-cili tates payments directly to the recipients m-wallet account.
2. User enters the payment instruction details in application including the peers wallet details.
3. User is prompted for the m-wallet pin number.
4. Mobile payment transaction details along with m-wallet credential details are passed to the m-wallet
service provider through the mobile transaction service provider.
5. Upon validation of the payment instructions along with users credential details, the following
payment deposit actions are performed:
a. The cross border settlement transaction is initiated between the m-wallet service providers bank
account and the recipien ts bank account and the recipient end user is notified of the transfer.
b. For the cases, where the recipient is not having a bank account, the money is transferred to an
intermediary (based on the pre-agreed arrangement) account, from where the amount is
disbursed to the recipient through direct channels.
Figure 8: Mobile Wallet Cross Border M2Account
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
16/40
Mobile Commerce Payment Processing
Models
In many of the industry sectors, such as retail, telco, insurance, finance etc, the adoption of mobile
commerce business models depends upon the ability to securely process the payments through mobile
channels, over multiple mobile devices, buil t on different technologies. The key mobile payment
schemes that can enable a variety of mobile commerce business models, can be grouped into following
models:
Card based Mobile Payments
In these types of mobile payment schemes, the actual payment cards, such as debit cards, credit
cards, prepaid cards , post paid cards, gift cards, vouchers etc, are used make the payments through
mobile devices. Based on the context of business sales transaction , users are required to furnish the
card details along with the pin verification to make the payments. Card based mobile payments can be
further classifi ed into direct and indirect card based payment schemes. The card detai ls can be also
stored directly into memory or smart cards of the mobile devices.
Direct Card Based Mobile Payments
In this type of payment mode, the users will directly provide the card detail s at the point of making
payments. The user card details along with pin verification are used to make the payments, to the
concerned merchant accounts.
Indirect Card Based Mobile Payments
In an indirect card based mode, the users card details are reg istered with the payment serv ice
provider upfront, eithe r through web or mobile channels, and subsequent user payments are made with
a secure pin entry provided by the users. The users do not have to enter the card detail s at the pointsales step of the process.
Cardless Mobile Payments
Cardless mobile payment options provide the end users, to make payments without the need to have
the payment cards such as credit or debit cards. In these types of payment modes, primari ly, the
payment is made against the users mobile wallet accounts, which are monetaril y replenished though
various online or mobile payment modes. Cardless mobile payments can be broadly arranged into
following categories:
M-Wallet Mobile Account Based Payments
In this mode, basically the users mobile accounts are charged against the bills ( for the services and
goods), generated during mobile sales transactions. Such mobile wallet account based payments can
have further flavours such as:
Pre-Paid mobile payment accounts
In this type of contract, the users will buy the pre-paid mobile wallet accoun t value, by using top-up
services, to which the payment is made by using a variety of channels, including online, ATM etc.
Such pre-paid wallet accounts are further used during the mobile commerce transactions to make
actual payments.
6I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
17/40
Post-Paid Mobile payment accounts
Post-paid contrac ts enable the users to pay their mobile charges along with any other mobile
commerce charges on a periodical basis (monthly, quarterly etc), based on the contract type chosen
with the mobile wallet operator. During the mobile commerce transactions, the payments are
initiated against the post-paid mobile account, and regular bills are forwarded to the customer
(users) as per the billing arrangements.
Contactless Mobile Payments
The contactless mobile payments work more or less same as other types of cardless mobile payments,
except that the payment details appear on the mobile devices automatically, in the context of a
business transaction, when a mobile device is brought in the close vicinity of a concerned point of
sales (PoS) device . The NFC based mobile devices and contactless credit cards can engage with PoS
devices, to enable contactless payments. The ISO/IEC 14443 standards define the framework to
manage the contactless payment communica tions between a payment card reader (or NFC capable
POS device) and an associated payment card device (either card based or NFC device based).
Near Field Communication (NFC) Contactless payment
Near field communication technology leverages to the short range wireless technology that can
enable the communication between two devices whenever they come in the close vicinity of each
other. In the context of mobile transactions, this communication technology is furthe r used to initiate
payments from a NFC enabled mobile client device with a corresponding NFC enabled PoS device.
Sync and Async Payment Transactions
Mobile commerce payment transac tions can be conducted either in a synchronous or in asynchronous
mode. In a synchronous payment transaction, the users payment transaction is completed , along with
the underlying business sales transactions, which usually have atomic transaction scope. Usually, card
based mobile payments are processed though synchronous integration patterns .
The mobile transactions can also be handled in an asynchronous fashion using SMS, USSD mobile, and
other technologies, where in the entire mobile commerce transaction is conducted through a set of
related, but asynchronous business transactions.
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
18/40
Mobile Commerce Solution Architecture
A mobi le commerce solution architecture, that can support mobi le transaction processing capabi li ties,
needs to address the requirements that are unique (in addit ion to business requirements) to mobile
commerce, such as performance, security and relative instabili ty of the mobile wireless networks,
constantly emerging mobile technologies and wide range of mobile client technology specifications. It
is also important that the solution architectu re addresses all the non functional requirements such asscalabili ty, availability, PCI-DSS compliance , DPA compliance, and any other associated regulatory
compliance requirements . In this section we further discuss architectural detail s of the mobile
transaction processing solution framework that can support end to end mobile commerce business
models in many organizations .
Mobile Commerce Transaction Scope - Flows
A typical mobi le commerce transact ion can be viewed as either as an atomic or a long lived composi te
transaction (depending on the requirements), comprising of multiple participating sub transactions
(services) such as an order management transaction and an associated payment transaction. The
following diagrams shows a general transaction scope of a mobile commerce business transaction
In order to ensure a successful mobile transaction and to maintain transaction integrity, all the
individual steps in the scope are required to be completed; else appropriate rollback (compensation) is
required to be issued. In order to maintain payment transactional integrity, it is important to ensure
Figure 9: Mobile Transaction Processing Solution Framework
8I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
19/40
that the rollback of payments is achieved (by
issuing payment rollback instructions), incase any
part of the transaction fails to go ahead. However,
for practical reasons, it is also feasible to update
the orders manually, incase the payment is
successful , but order updation has failed.
However, if order is cancelled for some reasons
(usually by end users), then a corresponding
payment rollback transaction needs to be initiated
(depending upon the logic).
In order to improve performance, in some use
cases it may be useful to introduce asynchronous
mobile commerce transaction processing, whe-
rever it is feasible to achieve. This can be
achieved by breaking the entire mobile
transaction into manageable sub transactions that
can be meaningfully preformed in an
asynchronous manner, and still achieving the
completion of overall mobile commerce
transaction.
The client application layer of the solution
provides the mobile user interfaces, using which
the end user can conduct their mobile commerce
transactions. The key mobile commerce client
functions can be grouped into the following
modules, which are implemented using different
mobile client technologies
User Module provides the full functionality to
manage the user profile, which can provide all the
necessary information regarding the user, which
is essential to conduct mobile payment
transactions. The information can include user id,
user certificates, user card details including pin
(through secured storage), billing address,
shipping address etc. The following are some of
the key mobile use cases of this module:
Figure 10: Mobile Commerce Transaction Scope
Figure 11: End-to-End Full Transaction
Mobile Client Presentation Layer
Figure 12: mCommerce Transactions Presentation Layer Modules
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
20/40
Login - Enables the user to login into their mobile payment accounts.
Manage User Profile - Allows user to update and manage their mobile account.
Fillup Wallet Account - Make deposits to mobile account wallet account.
Make Mobile P2P Payments - Allows the user to make person-to-person mobile payments using
card or m-wallet account.
Make Mobile Money Transfers - Allows the users to make mobile money transfers.
Make P2P Payments / Money Transfers with SMS Allows the users perform P2P payment with
SMS based communication.
Make P2P Payments/ Money Transfers with USSD Enables the user to pay using USSD
messages.
Product and Service Module This module provisions the mobile commerce product and service
catalog services, using which users can browse the available services and products along with their
pricing details. The fol lowing key use cases are included as a part of this module.
Search Products and Service Catalog Allows the users to perform a quick search on available
products and services.
View products and service catalog Enables the users to view the products and services
available in a particular category.
Buy selected services with M-wallet account Enables the users to buy the selected product
or service with their M-wallet account.
Buy selected services with card payments Enables the users to buy the selected product or
service with credit or debit payment cards.
Buy selected services with M-wallet account using SMS Enables the users to buy theselected product or service with their M-wallet account, using SMS messages.
Buy selected services with M-wallet account using USSD Enables the users to buy the
selected product or service with their M-wallet account, using USSD messages.
Buy selected services with M-wallet account on NFC channel Enables the users to buy the
selected product or service with their M-wallet account, using NFC channel.
Orders management module (with payment processing) This is one of the key module, using
which, users can select the products and services and add to their shopping cart and subsequently
initiate mobile commerce orders. Internally, this module will use the mobile payment module to initiate
the mobile payments in the context of a placed order. This module includes the following main use
cases
Create shopping cart for an order Allows the users to create an order (shopping cart) by
selected products and services.
Add products and services to an order Users can add, delete, and update the order with
selected products and services.
Pay the order with M-wallet account Enables the users to pay the order with their M-wallet
account.
0I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
21/40
Pay the order with card payments Enables the users to pay the order with their credit or debit
card accounts.
System Admin Module Includes the mobile commerce application management functions, to set up
various systems configura tions that are used during live transactions. This module also enables the
users to maintain their address detail s, payment contacts, and any voucher and coupons which they
can use during payments. The following are some of the sample use cases included this module.
Manage user account Enables the users to maintain their mobile account details.
Manage user address Allows the users to manage their various addresses such billing address,
shipping address etc.
Manage users contacts To manage users payment contac t details.
Manage user coupons and vouchers Enables the users to manage their coupons and loyal ty
points etc.
The UI layer can be built using multiple mobile client technologies depending upon the operating
system and API supported by the individual mobile devices. Currently, multiple mobile operating
systems and mobile client apis (SDKs) are provided by major mobile software vendors in the market.Following are some of the key mobile client (micro edition ) apis (SDKs) (supported on respect mobile
OS) that can be used for developing the mobile client application layer:
Java ME Java Platform Micro Edition is a complete java based design time and run time
platform, supporting mobile technology with java run time. Java ME provides multiple APIs and JSRs
to support mobile application development. For the mobile client application development, one can
use some of the key apis such Java ME web service java ME Swing, Java ME Socket to develop
appropriate java mobile cli ent applications. A set of mobile technology JSR APIs are bundled, as a
part of the latest Java ME, to support a wide array of mobile applications .
Windows Mobile OS7 Window SDK is latest window operating system and SDK for window
mobile devices. Windows mobile SDK can support full cycle development of windows mobilecommerce clients, which can connect with the mobile commerce services hosted in the ser-vice
layer. Windows OS7 client will be able to run on mobile client devices that run windows Os7
Android Android Mobile OS is another major
mobile operating system along with relevant
SDK that can support full cycle development of
mobile commerce clients, which can interface
with mobile commerce services hosted in the
service layer.
ISo7 Is an Apple OS for Apple mobile devices
and smartphones supporting full cycledevelopment of the mobile commerce clients
that can interact with the mobile commerce
services hosted on the service layer.
SMS SMS based mobile commerce
connectivity has been successfully used, where
in the SMS messages are used to process the
mobile payment transactions in the context of a
mobile commerce transactions.
Figure 13: Mobile Commerce Service Layers
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
22/40
WAP clients: Wireless Application Protocol is a GPRS based protocol, using which WML based
mobile client application can be displayed in the mobile devices using WAP enabled browsers. WAP
enabled mobile clients can interact with the mobile commerce services including mobile payment
services, hosted on the mobile commerce service layer. WAP clients are supported by majority of the
client devices and WAP gateway is required for converting the WML content to HTML content before
being posted to the application server (Web server) in the mobile commerce service layer. Majority of
the WAP sites are accessible from wide array of the mobile devices. As of now WAP based mobileservice is slowly declining, as more and more powerful mobile browsers are now being supported by
recent mobile devices.
Mobile HTTP client (http 5.0/ CSS 3.0)
Recent mobile devices and smartphones are enabled with micro browsers which are capable of
rendering many of the modern day web application content. Some of these micro browsers now
support client side computing (mobile ajax) and can successfull y render the complete web content
that is developed on http 5.0 / CSS 3.0 standards. The mobile commerce clients can be developed
on http 5.0/ CSS 3.0 specifica tion standards, just as any other standard web application. The server
side components of the web applications can invoke the services hosted on the mobile commerce
service layer.
Mobile Commerce Transaction Layer
The mobile commerce transaction layer of the solution comprises of mobile commerce key process
(workflows) layer and mobile commerce service layer. This layer can host a variety of required mobile
commerce and payment processing processes and services. The following diagram depicts a
representative set of mobile transaction services hosted in this layer.
Figure 14: Mobile Commerce Transaction Layer
Process and human workflow Layer
The process layer of the solution consis ts of key mobile commerce business processes that will
support the end-to-end processing of mobile transactions involving human workflows. The processes
(workflows) hosted in the process layer can be long lived processes or atomic short lived transac tion
processes. The human interfaces of these processes (which also termed as human workflow services)
can be implemented as mobile client applications, using which the end users will be interacting with
the mobile commerce process workflows.
2I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
23/40
Service Layer
In this layer, key mobile commerce services are created , composed and aggregated and are exposed
as services, which can be invoked by various consumers with supported service bindings. The
Basicall y, the services created in this layer include the business services, utili ty services, application
services that can facilitate the integration between internal applications as well as external sources.
The services in this layer are created as service compos ites compliant with SCA standards . The
services can also be accessed by the mobile presenation layer components over REST protocol, via a
"REST Adaptor" Components. The serv ice calls over REST protocol are likely to improve performance
in some scenarios.
Service Bus
The service bus hosts service end points fo r the mobile commerce services. The mobile client
applications as well as mobile business processes and any other service consumer clients can invoke
the service end points through the service bus. The service bus provides standard functionality such as
service routing, service mediation, service protocol transformation, service auditing and logging and
quality of service (QoS) features to the service end points.
Payment Messaging Authorizations, Settlements, and
Reconciliations.
The payment processing services, in the mobile transaction solution framework, can leverage to the
following types of payment integrations
1. Payment gateway service provider integration Any third party payment gateway service
providers are directly integrated from the mobile transaction processing solution framework. Such
integrations are developed with multiple integration protocols such as web services, TCP/IP socket
interfaces, secured file transfers, secured message transfers , depending upon the integration
support provided by the service provider. The messages exchanged through such gateway service
providers are usually customized in nature, as per the specifications determined by the service
provider.
2.Authorization and verification integrations (with acquirer or payment authorisation service
provider) In this mode of integration, the mobile transaction framework directly integrates with
relevant acquirer or card authorizsation service provider, for securing the authorizations (pre, post
and partial authorizations) , payment reversals, and also relevant card holder verifications, for card
based transactions. The authorization and verification messages exchanged are usually ISO8583
compliant, supporting the required authorization cycles.
Figure 15: Payment Messaging Interfaces
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
24/40
3. Settlement integrations with settlement service providers These are the interfaces with
payment settlement services providers , to ensure timely settlements of conducted payment
transactions. The settlement integra tions are usually implemented as asynchronous secure file
exchange (SFTP, SSH) based interfaces. The settlement files are created as per the settlement file
specificat ions, such as apacs29b formats.
4.Authorisation and settlement interfaces with mobile wallet service providers These are
the interfaces between the mobile transaction solution framework and relevant mobile wallet service
providers to authorize and settle the mobile wallet account based transactions. Such interfaces are
usually implemented as real time sync integrations, but can be also implemented in batch mode,
depending upon the arrangements with the involved mobile wallet service providers. The messages
exchanged with the mobile wallet service providers are usually proprietary in nature.
5. Reconciliation Interfaces These are various interfaces developed in the mobile transaction
solution framework, to facilitate payment transaction reconciliations between various participants
involved in the payment eco system. Such participants may include merchant locations, reta ilers
POS locations, payment authorization service providers, payment settlement service providers,
issuer banks, acquirer banks and any associated card network service providers.
ISO8583 Message interfaces The payment interfaces between mobile transaction solutionframework and various associated payment authorisat ion service providers are based on ISO 8583
messaging standards. The key message types of ISO8583 messages, exchanged between the MPTS
frameworks and respective payment authorisation service providers, are depicted in the diagram
below.
Payment Gateway Integrations
Payment gateways provide market specific payment authorization and settlement services, supporting
multiple types of card based payment processing, such as debit cards, credit cards, visa, master card
and euro pay cards. The mobile transaction process ing framework includes the integration services for
external payment gateways. Based on the nature of the payment transaction, card type and geography,
respective payment processing gateway services are integrated with. Usually, the payment gateways
can be integrated over https (secured SSL) using soap as well as name value pair based payment
interfaces.
Telco Operator Integrations
Telco operators including both network operators and mobile service providers are integral and most
important participants in the mobile commerce ecosystem. The mobile transaction processing solution
framework requires extensive integration with concerned Telco operators, depending upon the nature
Figure 16: ISO 8583 Payment Messaging
4I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
25/40
of the mobile transactions involved. In this section, we briefly look into various integration scenarios
that are required to be supported as a part of the transaction processing solution.
SMS Integration
SMS messages constit ute a key part of the mobile transaction processing model, they are widely used
to implement asynchronous com-munication pattern with the end users. From the transaction
processing laye r, the inbound and outbound messages are usually received and sent by a SMS gatewaywhich is generall y located in the Telco operator s premises. But in orde r to support multiple Telco
operator messages, an SMS gateway can also be hosted within the mobile transaction processing
service providers domain. Basicall y, SMS gateway server acts as an interface between the end user
and the processing server. The inbound SMS messages are received by the SMS gateway and stored in
a database, from where such messages are read by transaction processing layer. The outbound SMS
messages are written into a data base table from the where the SMS gateway sends the messages to
the end users. A pictorial representation of SMS gateway is shown in the figure above.
USSD Integration
USSD (unstructured supplementary service data) is another communication mechanism mechanismsupported by many Telco operators. Using USSD command, the end mobile devices can send and
receive messages with USSD servers hosted in the Telco operator domain. Such USSD commands are
used as a part of the mobile commerce transaction flow, to implement certain part of the overall
transactions . The USSD messages can be sent and received by interfacing with a USSD gateway which
is usually hosted in the Telco operators domain. Mobile transact ion processing services can send and
receive such USSD messages using XML interface via USSD gateway. The following diagram depicts
the flow of USSD integration.
Figure 18 Mobile Commerce USSD Message Integration:
Figure 17: Mobile Commerce SMS Integration
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
26/40
WAP/ WML Content Integration
WAP is one of the mobile communication standards, us ing which mobile devices, through WAP
browsers can access WAP enabled information content. The WAP browsers are able to recognize the
WML content over wireless and display the content on the mobile devices. The WAP technology is
leveraged to enable a veriety of mobile commerce transactions which are hosted through WAP enabled
sites. The WAP content (through WML) is sent and received through a WAP gateway usually hosted in
the Telco operators domain. The WAP gateway serves as an exchange/transformer for converting WAP
(WML / XHTML wap 2.0) to Http/HTTPS (HTML) content between the WAP gateway and the web server
hosted in the mobile transaction process ing service providers domain. The following diagram depicts
the flow of WAP Gateway integration from the web server.
Figure 19: Mobile Commerce WAP Content Integration
B2B Mobile Commerce Content Integrations
The mobile commerce transaction processing framework supports integra tion of multiple partner
hosted mobile content services, which are offered to the end users as a part of the mobile commerce
business model. The users wil l be able browse and shop these services that are listed in mobile
commerce content catalog. For example, use rs will be able to browse the music services, to buy and
download interested songs. The mobile transaction process ing solution framework enables the
integration of such externally provisioned content services, through its service layer, using services
bus components. Subsequently , such external services are further invoked by various aggregation
services hosted in the service layer, or in some cases direc tly by the mobile commerce client
applications . The following diagram depicts the external mobile commerce content integration
scenario.
Figure 20: Partner Mobile Commerce Content Integration
6I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
27/40
Back Office Integrations
The mobile commerce solution framework is devised to integrate with key back office applications ,
such as financial accounting, HR, admin, MIS and analytical applications in the organization. The
transaction records are further fed into the enterprise applications, which in turn process those mobile
transaction records as per business need and requirements. Upon creation and modifi cation of a
mobile transaction records in the framework, respective record events (along with record details) are
generated and written in to subscribed message queues. Subsequently the transaction records readfrom those queues and updated to respective enterpri se applications such as SAP, ORACLE EBS,
Reporting and MIS etc. The following diagram depicts the back office integration scenario, supported
in the solution.
Figure 21: Mobile transactions - Back Office processing
Business Intelligence
The business intelligence functionality is an essential part of the mobile commerce transaction
processing solution, and this subsystem is devised to provide complete insight into operational andanalytical reporting on mobile commerce transactions conducted through the framework. Whenever a
mobile transaction record is created or modified, an associated business intelli gence event is
generated (consisting of records details) and is written to subscribed business intelligence message
queues. The day-to-day transaction records, from the mobile commerce transaction BI queues are
extracted, by ETL processes to load into the mobile commerce staging, ODS, and SW data sources.
The purpose built mobile commerce specific business intelli gence data mart is populated with the
data extracted and aggregated from the ODS and EDW data stores. The mobile commerce analyt ical
and operational reports are generated against ODS and Mobile commerce data marts and are
provisioned through a dedicated reporting dashboard . The following diagram depicts the data
extraction flows for business intelligence.
Figure 22: Mobile Commerce - Business Analytics
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
28/40
Business Activity Monitoring
The business activity monitoring services in the mobile transaction solution framework provides the
visibili ty on the key performance indicators of the executed mobile commerce transaction processes
and services in the run time. The business activity monitoring services provide a complete dashboard
that can provide full visibil ity on the performance of deployed mobile commerce processes and
services. When the mobile commerce serv ice layer is implemented and is enabled for the BAM
reporting, the out of the box BAM reports and dashboard can provide end-to-end visibility on the KPIs
of the deployed mobile transaction services.
Mobile Commerce Payment Security
Security is an important and integral part of the mobile commerce transaction processing model and is
very critical to achieve required regulatory compliance for the regulatory standards such as PCI-DSS,
DPA, SOX etc. The mobile payment security scope, at the minimum, includes authentication,
encryption/decryption, authorization and non repudiation (digital signatures) aspects associated with
mobile transactions .
In the context, mobile commerce transactions which inherently involve payment transac tions, its
extremely critical that the solution is PCI-DSS compliant, in all its services and functional paths. The
mobile transaction processing solution framework ensures end-to-end security of the sensitive data
(PAN and sensitive authentication data SAD) using strong encryption across all paths of the
transactions. The poin t to point encryption practice is known to reduce the scope of PCI-DSS
assessment and hence P2PE encryption practices are widely being used for securing the card holder
data (CHD) during transmission .
Encryption functions in mobile devices (NFC clients) ensure that the card holders data (CHD) and any
other sensitive data is encrypted at the point of entry itself using strong encryption algorithms (SSL V3)
and high strength public keys. The corresponding decryption functions are located at destination
points, where the ciphertext (unreadable) content is decrypted using private key components. Public
and private keys (Asymmetric encryption) are securely managed through key management solutions,
which will ensure key generation, secure key distribution to encryption and decryption points.
Content Encryption or message level security
The symmetric key based encryption technologies such as DES, 3DES (Triple data encryption security),
blowfish and DUKPT (derived unique key per transaction) are used to encrypt the content (to provide
message level securi ty) from source point to destination point (decryption point). A symmetric key is a
common secret key used for encrypting and decrypting the content and hence such a key needs to be
managed securely. Externa l encryption apis or inbuilt apis (windows mobi le edition) can be used to
implement 3DES encryptions. In order to provide add itional security for the common symmetric key,
DUKPT mechanism can be used, which will provide a unique key (from the master key) to encrypt each
and every transaction.
Transport Layer Security
The following section describes how various paths in the mobile transaction processing are secured
with transport layer security protocols (SSL/TLS).
1. Mobile Devices to Telecom Operator HTTPS/ SSL, WTLS -
a. The communication between J2ME mobile clients and telecom operator is encrypted using
HTTPS/SSL which is PCI-compliant.
8I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
29/40
b. When WAP sites and WAP clients are used, the communication between WAP browser and
Telcos WAP gateway is secured through WTLS (Wireless transport layer security) protocol.
Figure 23: Mobile Transaction Processing: End-to-End Security
The encrypted card holder data (CHD) is passed to the mobile commerce transaction service providers
where the same data is decrypted (using private keys) and further processed for authorizat ions.
2. Telco Operator to Internet HTTPS/ SSL The communication segment between Telco operators
network and the connected internet is secured through HTTPS/SSL. The Telco operator network is
connected either with secured VPN or with dedicated secured leased lines which are secured
through SSL encryp-tion.
3. Internet to Mobile transaction providers Intranet HTTPS/SSL. The communication in this segment
of the network is secured through HTTPS/SSL.
4. Mobile Transaction Processor and Mobile Commerce Content Provider HTTPS/SSL. The
communications between the service layer of the solution and the respective external mobile
commerce content provider is secured through HTTPS/SSL encryption.
5. Mobile Transaction Processor and Payment Gateway Service Provider HTTPS/SSL. The
communication path between the mobile transaction processing platform and the respective
payment gateway service providers is secured through HTTPS/SSL.
6. Transmission of card holder data over the entire network (public network) is encrypted using strong
cryptography and security protocols such as SSL v3/TLS for https, SSL/IPSEC for VPN, SSH for
file transfers.
The solution framework is devised not to hold or store any customers credit card data during
transaction processing; no credit card information is stored during the entire course of mobile
transaction processing in the framework. Any personally identif iable information (PII) stored in the
solution, will be encrypted during storage. The tokenized CHD (PAN) da ta is stored in the system after
authorization.
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
30/40
PCI DSS compliance for wireless networks The PCI-DSS 2.0 guidelines for wireless networks
(WLANS Bluetooth or Wi-Fi) stipulate a definitive set of requirements for wireless networks. All the
WLANs connected to the mobile transaction processing framework run time environment, are required
to be secured as per the PCI-DSS requirements. The WLANS are subjected to physical and logical
inspections (planned) and are also tested through regularly planned wireless vulnerability scanning
tasks. The firewall are configured to identify the authorized wireless traffic (if any) and block any
unauthorized wireless traffic entering in to the core processing zone, the servers in which may hold the
customer sensitive data including card data. Any WI-FI WLAN connected to the run time environment is
required to adhere to enterprise mode WPA/ WPA (WI-F I Protected Access) 2.0 authentications and is
required to employ AES (Advanced Encryption Standard) encryption standards for wireless encryption.
Tokenization and End-to-End Security for PA-DSS Compliance
Tokenization approaches, are used to protect the sensitive card and PII data during payment
processing and subsequent storage of payment related data storage. PA-DSS (along with PCI-DSS)
compliance framework , necessitates the need for end to end encryption of card, pin and other
personally identif iable data of the customers, during the entire path of payment transaction processing.
The following diagram briefly depicts on tokenization flows used in the context payment processing.
The encrypted credit/debi t or wallet account data from the mobile client application is passed to themobile commerce transaction processor, where the credit/debit or wallet account data is tokenized
using tokenization services and actual card or wallet account data is used for authorizations and
tokenized card/wal let (not actual card details) data is stored in the transaction store. For all
subsequent processing including reporting, analytics , POS services etc, the tokenized data is used.
Tokenization approach reduces the effort required to manage the PCI-DSS compliance requirements,
by reducing the places where the actual card/wallet and any other PII data is stored.
NFC- Based Mobile Commerce Payments
Near field communication (NFC) is another short distance radio communication technology , enabling
communication between two devices when they are in the close vicinity of each other (4 cms). Thistechnology is being increasingly considered to be used in the contactless payment processing models.
In context of mobile payment processing , an NFC enabled mobile device can interact with an NFC
enabled Point of sales (POS) device and engage in performing payment functions through NFC
connectivity. The NFC implementation leverages to ISO/IEC 14443 standards for NFC card reader
(PCD) and NFC device (NFC cli ent - PICC) communications. In order to complete a mobile commerce
transaction, it is essen tial that the mobile devices and POS equipments are both NFC enabled. There
Figure 24: Tokenization Flows in Context Payment Processing
0I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
31/40
are different scenarios , as to how the NFC enabled mobile devices can be used to perform payment
operations in the context of an overall mobile commerce transaction. The following section briefly
discusses different NFC technology based mobile payment transaction scenarios.
NFC Card Based Payment Processing
In this payment transaction scenario, an NFC enabled mobile device is used to make card based (credit
or debit) payments with an associated NFC enabled POS device. In this scenario, the actual card
details along with the pin details are stored in the mobile device NFC control ler (like an NFC enabled
smartcard). When a commerce transact ion is completed in an NFC enabled POS, the subsequent
payments can be made by a NFC mobile device, by bringing into the contact of the concerned NFC
POS. On close contact, the bill details are passed to mobile device, users will be able see the bill and
press required button to make the payments, the card details along with pin are passed to NFC enabled
POS, which will further process the card details to complete the payment transac tion. The payment
Figure 25: NFC - Card based Payment Processing
transaction between the NFC Pos and payment gateway service provider will continue as it is done in a
normal payment scenario. Upon completion of payment processing, the NFC POS sends a payment
confirmation message to NFC mobile device, and the overall mobile transaction is closed.
NFC Mobile Wallet Processing
In this scenario an NFC enabled mobile devices is used to make payments with NFC enabled POS,
using users mobile M-Wallet accoun t. Mobile users, instead of using credit cards, use their M-wallet
account to make the payments. The NFC enabled POS will present the bill to the users, who will accept
Figure 26: NFC - Mobile Wallet Processing
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
32/40
the same to make payments, sending M-Wallet account details to NFC POS, which will further interact
with users M-wallet account service prov ider, for closing the payment transaction. Upon successful
payment processing NFC-POS will send a confirmation message to the mobile device and then the
overall transaction is closed.
NFC Sales and Marketing Content Model
NFC technology is widely being considered as sales and marketing channel, where in appropriate
tailored, sales coupons, marketing campaigns are pushed to the users NFC enabled mobile devices
whenever such device come in the close vicinity of an NFC enabled marketing server, in a shopping or
any such commercial environment. Such sales and marketing campaigns will appear in the NFC mobile
devices, giving the users with informed options to make their commercial decisions and transactions.
The NFC enabled mobile devices are offered with sales and discount coupons (as a part of marketing
initiatives ) from their mobile operators. Such coupons can be directly used during the mobile
commerce transactions, with an NFC enabled POS.
Figure 27: NFC - Sales and Marketing Content Model
2I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
33/40
Application Architecture Mobile Transaction
Processing
The service layer of the mobile transaction processing solution framework is primary built on service
oriented architecture principles, where in the key components of the service layers are designed and
developed with service component architecture (SCA) standards.
Service End Points: The end services, which are either internal services (created within the
organization) or various external services provisioned by business partners, are hosted on the service
bus through appropriate service bus implementations . The service bus implementation depends upon
the chosen service bus product. These service end points can be directly linked to the service bus or
invoked through dynamic binding using a service registry, depend ing upon the nature of the SOA
implementation in an organization.
Service bus layer: The service bus layer exposes the service endpoints to the consuming clients,
which could be either BPEL components or direct end mobile clients. The service bus layer can support
service composition and service routing patterns, which can be used to assemble the services and
expose them through service bus. The service bus layer implementation depends upon the chosen
service bus product.
BPEL layer: The BPEL layer is implemented with BPEL components (SCA architecture) to create
composite services in the mobile transaction framework. The BPEL components are exposed through
multiple bindings (SOAP/HTTPS, SOAP/REST, TCP, FTP, XML etc) through which mobile clients can
invoke these services. In some implementations, in order to improve the performance, the BPEL soap
services are interfaced with REST adapters, which will expose those services as REST services.
Client layer The mobile client components in the solution are implemented using multiple
technologies (depend ing upon the mobile device and OS compatibility) as a J2ME clients, JSP/WML
(WAP) enabled clients (WAP enabled sites), USSD clients, SMS clients etc.
Figure 28: Application Architecture of Mobile Transaction Processing
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
34/40
Deployment Architecture - Indicative
The functional and non functional requirements of mobile commerce business model, determine the
production run time deployment architecture. The service factors such as availability, performance,
security, auditing, scalability, business continuity and disaster recovery will have an important
influence on the deployment architecture of the mobile transaction processing solution. The network
infrastructure is one of the key components of production envi ronment to which the solution isdeployed. The network connectivi ty depends on the partner network (payment gateways, telco
operators, FIs, payment service networks etc) which needs to be integrated in the context of the
mobile transaction processing. The security and compliance requirements (PCI DSS) are also major
factors determining the target deployment architecture. The diagram below depicts indicative
architecture for high availability deployment.
The following are the salient features of the target deployment architecture
1. All incoming and outgoing traffic is secured through first level IP firewall, with NAT based firewall
rules.
2. Incoming traffic is distributed to web server cluster, by a load balancer pair which also acts as an
SSL termination appliance.
3. Web server cluster routes service requests to the application server cluster located in the core
zone, through a highly available load balancer cluster which will distribute the load on to the
application server cluster. The service composite applications for mobile transaction processing
Figure 29: Mobile Transaction Processing Solution - Deployments
4I IMobile Transactions and Payment Processing White Paper
-
7/29/2019 Mobile Transaction Payment Processing
35/40
are deployed into the application server runtime environments for BPEL, ESB and Adapters engines .
4. The database server cluster is located in the core zone, separated from application servers with
dedicated and secured VLANs.
5. All the personally identifiable data in the database is encrypted at storage.
6. Business continuity and disaster recovery requirements (RTOS, RPOs) are met with a stand by DR
center, which is constantly updated with a SAN level replication.
7. The file transfers in the system (for settlement and for internal and external integrations) are
carried through secured SSH or SFTP channels.
8. The external partners (telcos, FIs, payment gateway service providers) and external services are
connected through dedicated leased lines and secured VPN internet connections depending upon
the nature of the connection required.
9. Primary and secondary data centers are deployed with appropriate levels of intrusion detection,
audit change management systems, to securely monitor the hosting infrastructure.
10. All servers in primary and secondary data centers are secured through virus protection software.
11. The infrastructure elements in the primary and secondary data centers are constantly monitored,
through a well defined monitoring system.
12. The access and authorization to all infrastructure resources are controlled.
13. The deployment environment is inspected by regularly planned system vulnerabili ty scanning tasks,
to identify and address any internal and external security threats.
14. Any wireless lans (WLANS wifi or Bluetooth) associated with the deployment environments are
assessed as per the PCI-DSS 2.0 requirements for wireless payment networks.
15. The firewall rules are configured to filter out / block any unauthorized wireless traffic entering in to
core processing zones.
The network and communication infrastructure is an important and critical part of a mobile transaction
and payment processing infrastructure. Secured and highly available network communications, between
various participants in the ecosystem are necessary to ensure high quality end-to-end mobile transaction
processing. The fol lowing types of network connectivity links are required to build a network
infrastructure that can support a mobile transaction and payment processing services:
1. Network communication link between mobile transaction processor and telco (mobile network
operators) service providers.
2. Network connectivity between the mobile clients and mobile transaction service providers (though
MNOs).
3. Network connectivity between mobile transaction and payment processing service providers and
various payment gateway services providers , acquirers, and any third party aggregators, as
required for payment authorizations and settlements.
4. Network connectivity between the organizations data center and any externally located mobile
transaction service providers.
Network Connectivity
Mobile Transactions and Payment Processing White PaperI
-
7/29/2019 Mobile Transaction Payment Processing
36/40
5. Network connectivity between primary and secondary data centers hosting