We all love the convenience of ’Tap to Pay’. It’s fast, intuitive, and is widely accepted as part of everyday life. But behind that simple tap is a surprisingly complex ecosystem that’s starting to show its age.
One of the key challenges with the infrastructure supporting contactless payments, is that it’s far more fragmented than it should be. Today, there are more than 20 different contactless kernels in use globally. Each card scheme has its own proprietary version, and this means that every payment terminal has to carry the full suite of multiple kernels to ensure broad acceptance. For merchants, vendors and card schemes alike, this approach is expensive, difficult to maintain, and slows down innovation.
Then there’s the issue of security. Most contactless cards still rely on RSA encryption, a standard that is beginning to look vulnerable beyond ~2035 due to developments in standard computing as well as quantum. Issuers need to migrate to Elliptic Curve Cryptography (ECC) by 2030 to stay ahead of evolving threats. On top of that, current contactless cards still transmit sensitive data in the clear, raising concerns around data privacy, data harvesting and fraud.
So what do we do about it?
Enter C-8.
EMVCo’s C-8 specification is designed to solve these problems. It’s a single, unified contactless kernel that replaces the fragmented, brand-specific approach we’ve been working with for years. Think of it as the contactless equivalent of the chip card kernel: one common foundation that works across all card brands.
C-8 isn’t just about consolidation and cost saving. It’s a major upgrade in security and functionality:
Encrypted cardholder data using AES to protect sensitive information.
ECC-based authentication for a more secure, scalable cryptographic foundation
Support for loyalty, transit, and closed-loop schemes, enabling new use cases.
Simpler POS integration, reducing time-to-market and cost for merchants and vendors.
Better compatibility for smaller issuers and domestic card schemes trying to scale.
What we’re seeing in the market.
C-8 adoption is already underway. POS vendors like Ingenico and PAX have certified C-8 kernels on their devices. Card schemes are actively developing specifications. And there’s real interest from merchants, transit authorities, and fintech innovators.
At Consult Hyperion we’re at the heart of this next wave of innovation. We’re working with card schemes to develop their C-8 specifications, for both cards and mobile. We’re helping to define and produce test plans, and we’re guiding clients as they prepare for certification and rollout.
We’re seeing a clear shift in thinking. Stakeholders are no longer asking if C-8 will happen. They’re asking how they can ready themselves, rapidly, to be at the forefront of this evolution.
Strategic complications for payments & product teams.
If you’re in payments innovation, product development, or infrastructure strategy, C-8 should be on your radar now. It impacts how fast you can scale, how much you spend on certification, and how well you can support new use cases like Tap-to-Phone, in-transit payments, or loyalty-integrated cards.
For issuers, now is the time to plan your ECC migration, ideally before you’re boxed into a rushed reissuance cycle.
For acquirers and terminal vendors, C-8 reduces the cost and complexity of kernel management, helping you get to market faster and support more card types.
For emerging schemes, it offers a path to acceptance that doesn’t require fighting the kernel deployment battle.
Risks of standing still.
RSA has a limited life. The window to migrate contactless portfolios narrows. Waiting too long means you could end up trying to reissue millions of cards in a short timeframe, which is not an ideal scenario.
There’s also a competitive risk. As larger players roll out C-8 compatible cards and terminals, they’ll expand their acceptance footprint faster and more efficiently. Falling behind risks missing that window.
Our experience.
We’ve supported every major wave of EMV innovation from the beginning, and C-8 is among the most important shifts we’ve seen.
At Fime, We’re:
Actively working with global schemes on specification development.
Supporting test tool creation and certification workflows.
Helping clients understand what C-8 means for them, both technically and strategically.
C-8 isn’t just a tech upgrade. It’s a chance to reset the contactless ecosystem, reduce friction, and set the stage for faster innovation.
Let’s talk.
If you’re thinking about how C-8 fits into your product roadmap or want help navigating the next steps, we’re here.
Simpler, smarter contactless is coming. Let’s build it together.
Gary Munro, Vice President Payments Consulting
Gary joined Consult Hyperion in 2011, following his role at Gemalto where he led the Point of Sale (POS) Division in the UK and the Republic of Ireland, prior to and during its acquisition by VeriFone. He brings over 35 years of experience in secure electronic payments, with a strong track record in designing and delivering point-of-sale solutions tailored to the needs of some of the world's largest acquirers and payments processors.
Following Fime’s acquisition of Consult Hyperion, Gary is now part of Fime’s unified Consulting team, which continues to operate under Consult Hyperion brand to reflect its strong market reputation.
Gary leads retail transaction consulting activities, advising payment networks, retail banks, acquirers, merchants and fintechs on the technical, security, hardware and software aspects of their payment solutions. He has supported several central banks in the design of CBDC payment systems and helps payment networks define their functional and security requirements for payment services. He also provides strategic guidance during vendor selection processes, and conducts Technical Due Diligences assessments for investors and organizations to evaluate the robustness and effectiveness of critical business infrastructure.
