POS terminal and the Mobile device for proximity      b.   Merchant scans payers QR code; the custom-
            payments is through contactless Near Field Commu-         er through their payment application will
            nication (NFC), Quick Response (QR) codes or              generate a unique transaction-specific QR
            Magnetic Strip Technology (MST). 3G, 4G, and Wi-Fi        code to the merchant; the merchant scans
            are prevalently used for mobile wallets. Any risk that    the code through their payment application
            exists on a standard desktop or laptop computer           using a QR scanner to initiate the transaction
            may also exist on a mobile device.                        that can be completed by entering a PIN.
               Along with the standard communication methods
            of traditional desktop and laptop computers, mobile   iv. 3G/4G and WiFi
            devices may also include multiple cellular technol-
            ogies (e.g., LTE and GSM), GPS, Bluetooth, infrared   In addition to 3G and 4G cellular networks, mobile
            (IR), and near-field communication (NFC) capabil-    devices can also connect to wireless (Wi-Fi)
            ities. Risk is further increased by removable media   networks, these networks enable the mobile appli-
            (e.g., SIM card and SD card), the internal electron-  cation on the device to interact with the payment
            ics used for testing by the manufacturer, embedded   service providers. 3G, 4G, and WiFi networks are
            sensors, and biometric readers.                      usually provided by the Mobile Network Operator.

            i.  Near Field Communication (NFC): NFC is a       d)  Token Service Provider (TSP)
               wireless communication protocol based on        The TSP manages the life cycle of tokens. Addi-
               radio-frequency technology that allows data to   tional services typically include, creating and stor-
               be  exchanged  between  devices that  are  a  few   ing tokens, managing the token lifecycle, process-
               centimetres apart.  A wallet on an NFC-enabled   ing token transactions, performing token-to-PAN
               mobile device is a software application stored on   mapping, cardholder validation, including provi-
               the mobile phone that manages and initiates pay-  sioning services, key management for device-based
               ments. The mobile wallet accesses payment cre-  wallets using HCE, verification services for the trans-
               dentials such as tokenized payment cards, bank   action and device validity.
               accounts, loyalty coupons, or financial information
               stored on the mobile phone in a trusted environ-  e)  Acquirer
               ment. The physical phone is used to initiate a pay-  The acquirer is the financial institution or bank that
               ment transaction by tapping or holding the mobile   passes the merchant's transactions along to the
               device near a contactless-enabled POS terminal.  applicable issuing banks to receive payment.
            ii.  Magnetic Strip Technology (MST):  Magnetic
               Secure Transmission, or MST, generates a mag-   f)  Issuer
               netic signal like that of a traditional payment   The issuer is the financial institution that issues credit
               card when swiped. The magnetic signal is then   cards to consumers on behalf of the card networks
               sent from the device to the POS terminal. MST is
               enabled on some Samsung mobile phones.          g)  Wallet Service Provider (WSP)
            iii. QR  codes:  QR  codes  offer  contactless  payment   WSPs offer specific wallet solutions that use various
               alternatives in two ways:                       communications technology for mobile payments.

                a.  Payer scans the merchant’s QR code, the    h)  Payment Service Provider (PSP)
                   merchant  generates  a  transaction  QR  code   PSPs provide the various methods that allow a
                   or displays their assigned static QR code,   merchant to accept payments from mobile and digi-
                   the payer will then scan the code using their   tal wallets. The PSP can connect to multiple acquir-
                   phone  camera  and  the  payment  applica-  ers as well as payment and card networks. By enlist-
                   tion will interpret the payment or merchant   ing the services of a PSP, the merchant becomes less
                   details to initiate the transaction that can be   dependent on financial institutions to manage trans-
                   completed by entering a PIN                 actions, since the PSP can manage bank accounts as
                                                               well as relationships with the external network.









                                                                Digital Financial Services Security Assurance Framework  17