The Yandex.Money application for Android devices now supports MasterCard Cloud-Based Payments (MCBP) contactless technology. Now users can pay in stores, as well as deposit and withdraw cash at ATMs, simply by tapping their smartphone to a reader that supports this technology. To do this, the NFC function must be activated on your phone.

To pay contactlessly, you don’t have to install additional programs - just update the Yandex.Money application to the latest version and select “Contactless payments” in it. The application will create a digital contactless MasterCard directly on your phone, the balance of which will be equal to the amount in the electronic wallet. You can top it up by depositing money into your wallet in any convenient way. The PIN code for the card will be sent via SMS, but if the purchase price does not exceed a thousand rubles, the user will not have to enter it or sign the receipt.

One-touch payment by phone fully complies with MasterCard security requirements - payment data is securely encrypted, and the application is protected by an access code that is specified by the user. To make a purchase, you need to click the “Pay” button in the application, enter the access code and bring the phone to the reader. There is no commission for paying this way.

Contactless payments are available to all Yandex.Money users with smartphones running Android version no lower than 4.4 and supporting the NFC function. According to the payment service, about 60% of users of the Yandex.Money mobile application for Android have phones with NFC.

Contactless payment technologies are becoming increasingly popular. According to a 2015 survey by Gemalto and J'son & Partners, 66% of Russians aged 16 to 35 would like to use their phone as a means of contactless payments. And Strategy Analytics predicts that already this year over 100 million people around the world will make purchases through smartphones with NFC.

Payments using MasterCard contactless technology are accepted by more than 4 million merchants in 74 countries. In Russia over the past year their number has increased by 138%. Russians can pay contactlessly in stores, pharmacies, cinemas, dry cleaners, cafes and restaurants throughout the country. This payment method is available at the ticket offices of railway stations in Moscow, St. Petersburg, Kazan and Nizhny Novgorod, as well as in public transport - for example, at the turnstiles of the Moscow, St. Petersburg and Novosibirsk metro, on buses in Moscow, the Moscow region and St. Petersburg. You can also pay for travel contactlessly on the Aeroexpress - at turnstiles in Moscow, as well as at ticket offices and ticket machines in Kazan. Drivers can pay with one touch at parking meters in the capital.

The Yandex.Money service application for mobile devices now offers the possibility of contactless payments.

The Yandex.Money application for Android devices now supports MasterCard Cloud-Based Payments (MCBP) contactless technology.

Now Yandex Money users can pay in stores, as well as deposit and withdraw cash at ATMs, simply by touching their smartphone to a reader that supports this MCBP technology.

To do this, the NFC function must be activated on the smartphone.

What is NFC function

Translation of the name of the NFC function from English (Near Field Communication technology) is “near field communication”. This can be deciphered as wireless communication over short distances.

Thanks to this feature, two NFC-compatible devices can communicate with each other when they are close to each other, just a few centimeters away.

NFC technology is used in mobile devices for various purposes:

you can, for example, turn your phone into a virtual bank card,

use your phone as a pass to a pool or business;

You can also quickly share files and links.

In the Android operating system, support for the NFC function appeared in Android 4.0.

How to make contactless payments with Yandex money using a smartphone

To make contactless payments with Yandex money using a smartphone, there is no need to install additional programs. Just update the Yandex.Money application for Android devices to the latest version and select “ Contactless payments».

The Yandex.Money application will create a digital contactless MasterCard directly on your phone, the balance of which will be equal to the amount in the Yandex.Money e-wallet.

You can top up your Yandex.Money e-wallet by depositing money into the e-wallet in any convenient way.

The PIN code for the contactless card will be sent via SMS message, but if the purchase price does not exceed 1000 rubles, the user will not have to enter it or sign the receipt.

Contactless payment with one touch by phone fully complies with MasterCard security requirements:

payment data is securely encrypted, and

the application is protected by an access code that is specified by the user of the Yandex.Money application.

To make a purchase with a smartphone:

in the Yandex.Money application on your mobile device (phone), you need to click the “Pay” button,

enter the access code and

bring the phone to the reader.

There is no commission for paying Yandex with money in this way.

Contactless payments are available to all users of the Yandex.Money service with smartphones running Android version no lower than 4.4 and supporting the NFC function.

According to the Yandex.Money payment service, about 60% of users of the Yandex.Money mobile application for Android have phones with the NFC function. The considered contactless payment technology is becoming increasingly popular.

Payments using MasterCard contactless technology are accepted by more than 4 million merchants in 74 countries. In Russia over the past year their number has increased by almost 140%. Russians can pay contactlessly in stores, pharmacies, cinemas, dry cleaners, cafes and restaurants throughout the country.

Card terminals for contactless payments can be recognized by a small “wave” icon, and on the MasterCard website there is a map of “contactless” stores and businesses.

Such terminals are installed in parking meters, on toll highways, gas stations, turnstiles in the metro and, of course, in the most ordinary stores.

The well-known domestic Russian payment system Yandex Money quickly became popular. Currently, it competes quite successfully with the giant WebMoney. For modern users, the developers of this system have come up with many interesting surprises and features.

Thus, Yandex.Money users suddenly have the opportunity to top up their electronic wallet using Apple Pay, a means for online and mobile payments. This service is available in the Yandex.Money program for iOS on iPhone 6 and newer phones, as well as on iPad Pro, mini 3, Air 2 and newer tablets.

How to pay with Apple Pay

After connecting Apple Pay to Yandex Money, you won’t even have to take the card out of your wallet or pocket. It will be enough to bring your smartphone to the contactless payment terminal. Paying using the Apple Pay payment system is always safe. You do not need to provide any PIN codes. You will need to place your finger on Touch ID to confirm the payment.

What you need to use Apple Pay

1. iPhone 6 or iPhone SE, latest smartphone models.
2. Authorization in iCloud, as well as Touch ID enabled.
3. Yandex bank card, or the newest version of the Yandex program.

iPhone 6 on Yandex Market

iPhone SE on Yandex Market

How to add Apple Pay to the Yandex Money application

You should never be afraid of new technologies. Remember that they are designed to make your life easier. IT technology developers always advise users to follow simple and clear instructions.

1. Open the Yandex money application.
2. Click on the Apple Pay tab.
3. You receive a free virtual Yandex card.
4. Click on the “Add to Apple Wallet” tab.
5. Fill out the information fields.
6. You accept the user agreement.
7. Waiting for confirmation from Apple Wallet.

How to use Yandex Money for contactless payment

In any modern banking terminal with the possibility of completely endless payment, you must do the following:

1. Just bring your phone to the terminal and place your finger on Touch ID.
2. The funds will instantly fly away from your Yandex wallet.

Yandex.Money users will also be able to pay through the Apple Pay payment system for purchases in applications, on websites and in online stores. In order to pay this way, you need to add a virtual or plastic Yandex.Money card to Apple Wallet. This can be done through the Apple Wallet application, or Yandex.Money for iOS. When paying from a Yandex.Money card, funds will be debited from the electronic wallet - they have a common balance. A virtual card is issued in a couple of seconds. The plastic one can be received by mail or at the company office. In total, more than 500,000 plastic and 11 million virtual MasterCard cards were issued under the Yandex.Money brand.

Payments through Apple Pay are completely secure. Card data is not stored either on the user’s smartphone or on Apple servers. Instead, the device account is assigned a special unique number, which is necessarily encrypted and stored in the chip of this device called “Secure Element”.

In the very near future, Yandex.Money will enable payment acceptance via Apple Pay for companies that currently use Yandex.Checkout, a universal payment method for business.

Below the cut are details about connecting contactless payments in Yandex.Money, testing and features of security systems with a new type of payment.

In this post we will talk about the Apple Pay and Samsung Pay payment systems, which are based on similar principles and differ in details. For simplicity, I will simply call them *Pay wherever the details are not important.

What is this all for

You can pay for goods from your phone for a long time - just install your bank’s mobile application, which should have a contactless payment option (the Yandex.Money application is also suitable, by the way). Card data is stored securely on the user's device and is accessible using HCE technology - a software analogue of a bank card chip.

There are also separate programs like Wallet, which offer wireless payment options for partner banks and, as a bonus, storage of discount cards.

This is why contactless payment previously required additional “layers”:

iPhone owners couldn't pay contactless because the NFC interface on Apple smartphones can't be used directly to pay in third-party apps. In addition, NFC appeared only in the iPhone 6 and SE.

1. On many modern smartphones, a separate Secure Element (SE) device has appeared, which performs the functions of an EMV chip of a bank card and is not tied to a specific bank or card. Such a unified solution is more convenient for the user and easier to implement for the bank, which previously did not have payment from a smartphone.

Apple Pay and Samsung Pay are needed primarily to make payment from a smartphone via NFC standardized and safe.

A short excursion into the emergence of Secure Element and card security

Initially, payment cards were issued only with a magnetic strip on which the card number was written. Naturally, the number was easily copied, so the organization got down to business EMVCo, which has developed a more secure EMV chip. This measure significantly reduced the number of fraudulent transactions, but did not completely solve the problem. In addition, the payment process was not perfect and therefore work continued on further improvements.

The path was thorny, and among others, payment systems tried the following options:

SIM card with a built-in Secure Element chip, issued jointly by a mobile operator and the issuing bank;

sticker for a phone with a built-in wireless module and Secure Element;

• using the NFC adapter built into the phone and Secure Element (HCE) software emulation.

Ultimately, MasterCard "shuffled the cards" and assigned the functions of storing card data and processing payments to mobile device manufacturers. This is how MasterCard Digital Enablement Service (MDES) came about, and then *Pay.

But HCE has not completely disappeared, as it allows banks to use their own mobile applications for contactless payments. That is, the bank can independently add a card payment function to its application. Plus, the application can implement some branded conveniences such as payment for housing and communal services.

By the way, in mobile Yandex.Money there is also an option for contactless payment through HCE - for all those who, for various reasons, cannot use *Pay.

Make friends with everyone

I hope that now all cause-and-effect relationships have been restored, so let’s return to the Yandex.Money contactless payment project.

If something is still unclear, be sure to ask in the comments.

I will illustrate all further scenarios using the example of Yandex.Money cards, for which the most information has been collected.

In order for the user to easily pay for goods from the phone, close cooperation between four parties is necessary:

contactless payment service from the smartphone manufacturer (Apple Pay and Samsung Pay);

payment system (MasterCard);

card issuer (Yandex.Money);

1. the seller's acquiring bank.

Thus, the Yandex.Money team needed to come to an agreement with Apple, Samsung, Mastercard and implement support for updated payment protocols on its side. We also needed to add payment acceptance via Apple Pay and Samsung Pay to Yandex.Checkout, a payment solution for business. But that is another story.

The illustration is missing the acquiring bank - I removed it for simplicity.

When a user adds a card to a wallet, Apple Wallet generates a cryptogram with encrypted card data and a digital signature and then sends it to MasterCard. There the cryptogram is decrypted and tokenization occurs. Tokenization is the generation of a DPAN number, which is a synonym for the original card, unique for each physical device.

A reminder about DPAN and its features

Digital Primary Account Number (DPAN) is a special token number that the payment system issues to a specific device for using one of the user’s cards. This number is unique for each device and is therefore generated every time the same card is added to the wallet of the next device.

The token is needed in order not to store real payment data on the mobile device.

But DPAN will not be generated until MasterCard verifies *Pay support on the issuer’s side, that is, Yandex.Money. To do this you need:

Wait for Apple or Samsung to check whether you can use the device as payment (if the phone is stolen, if you have Root rights, etc.).

Connect to MasterCard Digital Enablement Service (MDES). Details about such applications are almost completely subject to NDA, so those interested will have to request documentation directly from MasterCard.

Implement support for specific *Pay requests.

1. Test the system with Apple, Samsung and MasterCard. Testing is partially on-site, so everything is not as simple as it might seem.

But the user may want to add a card not manually, but from the Yandex.Money application. There is such a possibility, but a slightly different mechanism is used.

Red, yellow, green

When a user adds a card to a phone wallet, one of three scenarios for further developments is triggered, depending on the degree of risk:

Green. It is used when a request to add a card comes from the issuer’s mobile application (Yandex.Money) and it contains a special key that confirms the user’s authentication in the banking application. No additional checks are required.

Yellow. Typically used when adding a map manually or using your phone's camera (OCR). The wallet will ask for the card's CVV code and request additional authentication.

• Orange. In fact, it means a refusal to add a card.

If you don’t yet have a Yandex.Money plastic card, then you can issue a virtual one directly in the application to try it out.

But we do not live in an ideal spherical world, so the yellow path will often be used. To ensure that it also runs smoothly and that there are no problems at the stage of recognizing the card details by the camera, we sent more than 200 photos of test cards to Apple. Without this training, the recognition algorithm periodically made mistakes and tried to add a card with incorrect data to the wallet.

Pre-flight preparation

When the necessary software on the backend was ready, and the beta version of Yandex.Money was trained in the intricacies of Apple Pay (the tokenization option through our mobile application is not yet available for Samsung Pay), the tedious time of testing came.

By the way, to join the “banquet” it is not enough to implement everything and inform MasterCard that you are ready - the payment system and phone manufacturers will definitely check you personally. For example, regarding Apple Pay, a friend from the UL company came to us with a set of various Apple gadgets. He had 6 iPhones alone - 3 generations in 2 versions (simple and Plus). With their help, the auditor checked many payment scenarios, including refunds.

The updated Yandex.Money processing worked in an isolated test segment, so a “white list” of cards was used for verification - for them MasterCard simply enabled *Pay payments. But there were some difficulties with Apple's test environment.

For example, there was no separate payment infrastructure for testing, so Yandex.Money testers had to transfer their smartphones and Apple ID to the “USA” region and select answers to some queries on their own.

But the devil is in the details, and mistakes are in the last mile. It turned out that not all banks monitor the firmware updates of their terminals, and cashiers are mostly unfamiliar with modern technologies.

There are quite a few models of payment terminals and firmware for them, and the oldest of them were crazy about *Pay. I had to understand and forgive, simultaneously informing the support of the relevant banks about “slight difficulties with the POS terminal.”

When everything seemed to be working, some transactions began to receive amounts with a dash in the mobile wallet. This clearly meant problems outside of the Yandex.Money systems. Of course, such reports did not affect the payment itself, but cognitive dissonance was present.

(Not) loophole for scammers

Tokenization of cards by Yandex.Money, like other banks, is accompanied by checking such requests for fraudulent patterns. For this purpose, Yandex.Money has a separate mechanism with its own complex logic and powers to block extremely suspicious transactions - the anti-fraud system.

Since the system works based on certain rules, a potential security issue was discovered when tokenizing someone else's card to the device. To do this, you need the card number, expiration date and CVC2. Yes, the issuer will probably request additional validation, but even in the case of an SMS password, phishing and social engineering work. For payment amounts up to 1,000 rubles, the terminal will not even ask for a PIN code, and SMS notifications are still not enabled for all cardholders.

Such threats can be dealt with at the processing level. Every user action with his account or card is reviewed online by a fraud machine: if at least one blocking rule is triggered, the transaction will be rejected.

For each Yandex.Money user, an individual behavioral profile is formed: what he likes and dislikes, how and when he usually pays, typical periods of activity and many other characteristics. Based on this information and with the help of machine learning, a forecast of future values, that is, the most likely human actions, is made. If the antifraud detects deviations between actual indicators and their forecast, it may request additional authentication or reject the transaction.

A lot of interesting things can be said about machine learning in security systems in connection with its long-standing implementation in Yandex.Money, but this is the topic of a separate article.

If you have come across other nuances of connecting to *Pay at work, please share in the comments, many will be curious.

Tags: Add tags