CDCVM guidelines for secure payments on wearable devices
Contactless payments, made using NFC-enabled smartwatches, wristbands, rings, and other wearables, are expected to continue growing in the next several years. This sub-set of the contactless market, known as “wearable payments,” is still in its relative infancy, which means market analysts aren’t really tracking it yet, but there are several trends that indicate wearable payments will become an increasingly popular form of payment.
To begin with, wearables themselves are gaining ground, with IDC reporting that wrist-worn devices currently represent 63% of wearable shipments, and Gartner predicting that worldwide spending on wearables of all kinds will grow to USD 63 billion in 2021, an annual increase of 22%.
At the same time, people are making more payments using contactless formats. The transition to contactless, already well underway before the COVID-19 pandemic, has accelerated. It has taken only months for usage rates to reach levels that analysts predicted would take years to achieve. This is in large part due to the perception that, since there is no need to touch the Point of Sale (PoS) terminal to complete the transaction, contactless is more hygienic.
Another factor that can be expected to expand the use of wearable payments, beyond the wider adoption of wearable devices and contactless payments, is the fact that wearables use Consumer Device Cardholder Verification Method (CDCVM) to verify identity as part of the payment approval process.
The benefits of CDCVM for payments
The CDCVM function, first developed for use with smartphones and digital wallets, enables true “tap and go” payments with high-level security. With CDCVM, there is no need to enter a PIN code or provide a signature for high-value payments at the PoS terminal, so the transaction is both touch-free and faster to complete. The CDCVM function also supports use of biometric authentication, including fingerprints, for high-level assurance that whoever is wearing the device and requesting a transaction is, indeed, the device’s legitimate owner. The added convenience and security of CDCVM make contactless payments that much more attractive on consumer devices of all kinds, including wearables.
The CDCVM function is widely recognized for its ability to reduce fraud with in-store purchases and has gained widespread industry support. Merchants like it because it makes the payment process faster and more convenient while reducing fraud. In light of CDCVM’s higher level of security, supported by biometrics, many Payment Network Operators (PNOs) have removed the transaction limits on CDCVM transactions, so consumers can use their devices to make purchases of any amount. From the consumer’s perspective, being able to make payments of any kind, small or large, without having to touch the payment terminal, makes wearable payments all the more attractive.
How is CDCVM implemented on wearables?
The CDCVM function resides on the wearable itself or can be managed through a mobile application running on a companion device, such as a smartphone, connected to the wearable by Bluetooth or some other wireless technology.
The CDCVM function is typically implemented in one of two ways, depending on the capabilities of the wearable. With Instant CDCVM, the authentication status is valid for only a short period of time (usually a minute or less), so verification is required before each payment transaction.
With Persistent CDCVM, the authentication status is valid for a longer period of time. A proximity sensor (or some other indicator, such as a biometric, a light sensor, or switch) is used to detect human presence, indicating the wearable is actually being worn. Once CDCVM authenticates the wearer’s identity, the authentication state persists for a pre-set amount of time or until the wearer removes the device, whichever comes first.
While the wearable is in its CDCVM-authorized authentication state, the wearer can trigger successive payment transactions by indicating consent, with the click of a button or some other action. Indicating consent re-activates the payment function on the contactless interface. Once the payment transaction completes (or after a pre-set time), the payment function goes dormant and is unavailable to the contactless interface. This prevents the wearable from making payments without the wearer’s consent.
To support persistent CDCVM, the wearable has to have an onboard mechanism to detect if it is on or off the body. There also needs to be a biometric-presence mechanism, such as a light or heart-rate monitor, with a latency of no more than a few seconds. The wearable also needs to have a suitable mechanism for accepting the wearer’s clear consent, so the wearer can easily and quickly indicate approval. As a practical matter, it is recommended that the authentication persistence does not exceed 24 hours.
Who defines CDCVM guidelines and validations?
The specific CDCVM function to be used has to be agreed upon and validated by the issuer bank and/or the PNO offering the NFC digitized payment card. Issuers and PNOs define the list of supported CDCVM methods and their corresponding priorities based on the targeted markets. This list of supported CDCVM methods is then injected into the secure payment application, which resides on the wearable’s NFC chip, when the payment card is digitized.
Working with CDCVM is made more complicated by the fact that CDCVM is not a standardized process across PNOs. Mastercard, VISA, Discover, and American Express all endorse CDCVM, and mandate CDCVM support for all consumer devices that can be used as credit, debit, or prepaid digitized cards, but they each use their own contactless specification and have their own requirements for validation. Working with a third-party integrator familiar with all these CDCVM functions can make it easier to navigate the requirements.
We’re here to help
At MobileKnowledge, we have more than 10 years of experience in the integration of NFC technology into wearable devices. Our expert team of hardware, software, and system engineers work closely with wearable manufacturers to deliver smart, connected, and secure technologies for today’s markets.
Thanks to our deep understanding of the payment’s ecosystem, and our extensive dealings with PNOs and issuer banks, the team at MobileKnowledge can help ensure that the definition, implementation, and validation of any CDCVM solution follows the necessary guidelines.
To learn more about how we can help you deploy a CDCVM-enabled wearable, please email us at email@example.com.