Samsung Pay has launched in South Africa, and offers Absa and Standard Bank clients a way to pay for things at just about any credit card machine in the country using their smartphone.
What sets Samsung Pay apart from similar mobile payment apps is that it doesn’t require special equipment, or for the credit card terminal to support near field communications technology (NFC) which enables contactless “tap-and-go” payments in normal chip cards.
The app does support NFC, and prefers to use it where available, but it also supports a technology called magnetic secure transmission (MST) which mimics the swipe of a card on a payment terminal using magnetic fields.
When it was originally developed, the aim of MST was to turn card terminals already installed in shops and restaurants around the world, which may only have magnetic stripe readers, into tap-to-pay machines.
Since your phone is transmitting your card credentials wirelessly to the card machine, people’s natural reaction is — is it safe?
Samsung has gone to some lengths to ensure that your card information remains safe at all times, from how it is stored on your phone to how it is ultimately sent to the card machine when making a payment.
Your card information is not stored
When adding your card to Samsung Pay, your smartphone encrypts the information before sending it to Samsung’s servers. From there it is sent to the card issuer’s network for verification.
Your bank will send you a one-time PIN before the card is verified for use through Samsung Pay. This ensures that stolen or lost cards are not added to the app fraudulently.
Once you’ve authorised your card, the 16-digit primary account number (PAN) printed on your card is substituted for a token, or digitised PAN. Effectively a virtual version of your card is created with a completely different set of digits.
Even if an attacker is able to steal the card details stored in Samsung Pay, your real credit card details are kept safe.
Only the last four digits of your credit card is shown in Samsung Pay to help you manage your cards.
This process takes place every time you add a payment card. A new token will be generated even if you remove a card from Samsung Pay and immediately add it back.
More information about this is available on Samsung’s developer website on tokenisation.
Before you can add a card to Samsung Pay, your phone will ensure that you have at least a PIN set up to prevent unauthorised use.
You may also choose to configure fingerprint or iris scanning to unlock Samsung Pay when you want to make a payment.
Once you have unlocked Samsung Pay, the phone will start to pulse in your hand to indicate that it is busy transmitting your tokenised card data. It will automatically stop after 30 seconds, or if it detects a successful scan from a card machine.
Samsung has implemented several different tokenisation mechanism to allow for payments to be made even if an Internet connection is not available.
This includes cloud-based key management, where several single-use keys are stored on your device and are consumed every time you make a transaction. Keys are refreshed whenever you connect to the Internet.
Samsung Pay also offers trusted execution environment (TEE) key management. TEE-based keys are replaced as needed, and may be suspended or deleted just like cloud-based keys.
More information on Samsung Pay token handling is available on the company’s developer portal.
Lost or stolen smartphone
If your smartphone is ever lost or stolen, you can remotely lock or erase your Samsung Pay credentials from it.
You also have the option to try and locate your device, and erase all personal information stored on it, in addition to your Samsung Pay data.
This article was published in partnership with Samsung.