Nedbank and Synthesis Support Contactless Payments on Smartphones Using AWS

South African bank Nedbank is committed to prioritizing its product development to suit the needs of its personal and small business clients. To make banking services more inclusive and accessible, the bank worked with AWS Advanced Consulting Partner Synthesis to develop a software-based point-of-sale (POS) system. The solution, built on Amazon Web Services (AWS), can be installed on smartphones without any additional hardware. This allows single operators or small businesses to accept contactless payments easily, lowering the barrier to entry for the country’s retail industry.

Making POS Transactions Available to All

Nedbank Group is one of Africa’s largest banking groups, with operations in South Africa, Namibia, Eswatini (formerly Swaziland), Mozambique, Lesotho, and Zimbabwe, and offshore in the Isle of Man and Jersey. The group is a diversified financial services provider, offering a wide range of wholesale and retail banking services, as well as insurance, asset management, and wealth management solutions.

Nedbank takes a client-centric approach to delivering its banking services. This means working with its business banking and corporate clients to support their individual needs and provide the services that matter most to them. In speaking with clients, the bank recognized that small and microbusinesses struggled to accept digital payments because the available solutions were too expensive and complex for them to adopt. Most payment options required retailers to buy and set up a dedicated hardware terminal, on which customers can tap their debit and credit cards to pay for goods.

When the use of contactless payments rapidly increased during the COVID-19 pandemic, Nedbank saw an opportunity to support small businesses. It developed a software-based point-of-sale (SoftPOS) technology solution that makes it possible for individual sellers or small retail shops to accept payments with only a compatible smartphone. “When we considered developing a SoftPOS payment solution, there were very few companies globally offering the capability,” says Roelien van Rooyen, functional lead for Emerging Innovation team at Nedbank. “We wanted to create a solution that was quick and easy to use, inexpensive, and met the needs of our clients.”

The bank considered licensing a solution from one of the global card payment giants, but that proved too costly in the long run. Instead, Nedbank approached its trusted technical delivery collaborator AWS Partner Synthesis, and started discussions about building a payment solution with a cloud-based infrastructure, making it the first bank in Africa to offer a SoftPOS solution.

Starting from Scratch with NFC Payments

Having worked together on previous projects, Nedbank and Synthesis already had a positive relationship when they began developing the SoftPOS solution. Nedbank chose to work with Synthesis again because of its extensive experience with AWS and its deep knowledge of encryption and secure banking technologies. “We wanted a long-term partner relationship, not just a solution provider,” says van Rooyen. “Having a local partner gave us the flexibility to develop the product quickly and implement features that best suit the South African market—all proving to be more cost effective than licensing software from outside of the country.”

Previously, retailers who wanted to accept card payments from customers needed a hardware terminal to guarantee the protection of sensitive cardholder data and to comply with payment card industry (PCI) regulations. The challenge for Nedbank and Synthesis was to replicate the high security of a purpose-built POS device in a mobile app using software, ensuring that no additional hardware was required.

The two companies faced challenges in developing the technology to support a new way of accepting payments. “When we started this project, it was brand-new technology,” says Pierre Aurel, head of payments and cryptography at Synthesis. “At that time, very few companies globally had implemented this capability of tapping a card to pay on a mobile phone. And the major challenges were about how to securely make use of the NFC (near-field communication) component on the phone to communicate with a payment card, or another payment device, making use of a digital wallet.”

NFC technology has been around for over 15 years. It is used by digital wallets like Apple Pay and Google Pay to make payments, but it wasn’t until very recently that the NFC payment tags used to receive payments at the point of sale were available on mobile phones. “That was the first big challenge—can we do this on a mobile phone?” says Aurel. “And, secondly, how do you secure the software application on that mobile phone to be as secure as a traditional point-of-sale system?”

Infrastructure and Scalability Built on AWS Container Technology

Nedbank and Synthesis decided to develop the first version of the app for Android, because it’s the dominant smartphone platform in the region. They also knew early on that they wanted to build a containerized solution on AWS. “Software scales instantly and point-of-sale (POS) hardware does not,” says Aurel. “We weren’t building the hardware—we were creating software so anyone could just download the app and get started. Nedbank might onboard 10,000 merchants a month, and if each of them completed 10, 100, or 1,000 transactions per day, you have to be able to scale rapidly.”

Using containers on AWS, the backend services can scale automatically without worrying about server infrastructure and maintenance. This improves app performance and means retailers can reliably and quickly accept payments from buyers.

The entire backend of the SoftPOS system runs on AWS, with all transactions passing through AWS to Nedbank. The system uses Amazon Elastic Compute Cloud (Amazon EC2), which provides secure and resizable compute capacity for virtually any workload, and Amazon Electric Kubernetes Service (Amazon EKS), to start, run, and scale Kubernetes.

Signing and Encrypting Secure Messages Using AWS KMS

Security was a critical consideration for the solution because the application processes sensitive payment card data. Synthesis’s background in encryption and secure banking technologies proved valuable. The project team was confident that all the security, encryption keys, and payment processing could be managed using AWS.

The solution uses AWS Key Management Service (AWS KMS) to create and control the keys used to encrypt and digitally sign data. “AWS KMS is fundamental to system security,” says Aurel. “The solution needs to have cryptographic security and robustness built into it. The only way to protect data is to have strong encryption keys.”

Another challenge for the project team was the lack of overarching standards for using a mobile app to accept secure transactions. At the time, the PCI had not yet introduced a standard for this kind of transaction (it did so in November 2022), so the security relied on innovations developed by existing card systems in different countries. The experience Synthesis had in this area was a major benefit to Nedbank, because it assured the bank that its clients could safely transmit data and that it would comply with all necessary standards.

Each message the system sends needs to be encrypted and signed, which involves two separate cryptographic functions. AWS KMS ensures the authenticity of the message, so the person generating the data on the phone can be verified. “AWS KMS helps us achieve users’ cryptographic security throughout the solution,” explains Aurel.

Synthesis built payment kernels (operating systems) to allow the solution to work with different card systems and created a software development kit (SDK) with the required embedded security features. The SDK can be embedded into any Nedbank app, providing the bank with the flexibility to use the SDK anywhere across its existing product set.

The solution went through many rigorous testing procedures to ensure it was secure enough to conduct financial transactions. Nedbank received Level 2 and Level 3 EMV certifications—a payment card standard created by Europay, Mastercard, and Visa (EMV)—and completed PCI Security Labs evaluation.

After approximately 8 months of work, Nedbank launched the first SoftPOS solution in Africa in June 2020. This consisted of an Android app and a supporting backend system running on AWS. Customer uptake of the SoftPOS solution has been a great success for Nedbank, with card transaction volumes on the SoftPOS solution increasing by 250 percent in 2022 compared to the previous year.

Simple, inclusive banking services for Clients

The project has helped Nedbank fulfill its commitment to helping small business clients. Making it easy and inexpensive for small and microbusinesses to accept debit and credit card payments lowers the barrier to entry for aspiring retailers in South Africa. Nedbank is now exploring expanding its use of the SDK for use in other related sectors, notably insurance.

It’s now possible for any individual or small business with access to a smartphone to make a living or augment their income by selling goods and services. “We’re proud to have been able to focus on and deliver what our customers needed,” says van Rooyen. “It’s been a challenging but rewarding journey and it wouldn’t have been possible without Synthesis and AWS