Designing Secure, Scalable Contactless Payment Systems

May 24, 2018

Gregory Guez By: Gregory Guez
Executive Director, Secure Micros, Maxim Integrated 


While contactless payments might seem like a modern-day concept, the process has actually been around since the late 1990s. In 1997, Mobil (now part of Exxon) launched its Speedpass contactless payment system at its participating gas stations. Fast-forward to now and, with the prevalence of smartphones and wearable devices, completing payment transactions via radio-frequency identification (RFID) or near-field communication (NFC) are a regular part of the point-of-sales (POS) landscape.

For consumers, a contactless transaction is a much faster, better experience. For retailers, supporting this method could be good for the bottom line. Over the last year, 86% of U.S. consumers left a store because of long lines, costing retailers US$37.7 billion in potential sales, according to a survey conducted on behalf of payment platform provider Adyen.

In fact, paying for goods and services via phones and wearables could just be the tip of the iceberg in this age of the internet of things (IoT). Visa, for example, envisions payment processing via cars and has, thus, expanded its Visa Ready Program to certify and secure payment transactions for the IoT. “Imagine with just a touch of a button, consumers could pay for gas, food or parking without leaving their connected car,” the company notes in a blog post. According to B2B research firm MarketsandMarkets, the contactless payment market will grow to US$17.56 billion by 2021, up from US$6.70 billion in 2016.

While convenience is a big attraction, contactless payments, particularly via IoT devices, must be highly secure in order for users to feel comfortable embracing this mode. That’s where the underlying technology in the devices themselves comes into play.

Contactless paymentMany consumers enjoy the speed and convenience of contactless payments, but this method still needs to be highly secure.

Keeping On-the-Go Payments Safe

The mobile POS (mPOS) market consists of small devices with a display, keypad, magnetic stripe reader, and smartcard and contactless card reader. These self-contained mPOS devices connect to a smartphone or tablet over Bluetooth or WiFi. To comply with stringent payment certifications, designers include highly integrated secure microcontrollers into these designs.  The secure chip provides payment-specific functions like secure key storage, enables cryptographic capabilities, and ensures proper tamper detection and reaction. Some companies opt to use multiple discrete chips for capabilities such as contactless payment, magnetic stripe reader, and Bluetooth. Note that it’s critical for the Bluetooth capability to be secure as well. Bluetooth Low Energy (BLE) 4.2 provides encryption and secure connections (authentication) that allow only trusted owners to track device location and confidently pair devices. Of course, a multiple-chip methodology is more expensive and complex when it comes to development and security. This has a significant impact on time to market as well. In addition, while these designs ought to scale to be practical, many of the underlying technologies available are limited in embedded flash memory available to support increased functionality. In an ideal world, software developers would like to have unlimited flash.

Now, there’s a single-chip solution that addresses the complexity as well as scalability and security requirements for mPOS contactless payment designs. Maxim has unveiled a new secure Arm® Cortex®-M4 microcontroller with contactless payment and Bluetooth support. The MAX32565 negates the need for multiple discrete chips by integrating contactless, Bluetooth Low Energy 4.2, magnetic card reader, and smartcard capabilities onto a single chip. Its 128KB of SRAM can be configured to be AES encrypted and battery backed. Memory space can be further expanded through external fast serial flash memories via its flexible Quad-SPI controller with execute-in-place (XIP) support as well as support for on-the-fly decryption and authentication. The Quad-SPI controller provides a high level of security as the code is decrypted in real time. It also checks for authenticity, reducing the risk of illegal code or fraudulent code relocation in external flash. What’s more, this secure memory expansion allows complex firmware with large font sets and graphics. The device includes a high-performance cryptographical engine as well as a True Random Number Generator and a high-level library that’s immune to side-channel attacks. The level of security provided here is compatible with PCI-PTS 5 requirements.

The MAX32565 secure microcontroller is ideal for protecting mobile payment/portable terminals, ATM/financial terminals, PCI payment terminals, as well as industrial gateways. Access control systems like keyless entry are another application area for which this device is well suited. According to a recent report from the BBC, hotel door locks around the world have been found vulnerable to hacking. A secure microcontroller with BLE guards against unauthorized access while also providing protection via environmental, microprobe, and user-configurable external dynamic tamper sensors that can trigger a system-level tamper response when necessary. The MAX32565-KIT evaluation kit provides an easy way for you to evaluate the capabilities of the MAX32565 for your next contactless payment design.