• No results found

NFC Application Mobile Payments

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "NFC Application Mobile Payments"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Trainings

NFC Application  Mobile Payments

MobileKnowledge June 2014

(2)

Agenda

► Introduction to payments

► Card based payments

► Mobile based payments

 NFC based payments ► mPOS solutions

► NXP Product portfolio

(3)

Trainings

Provisioning

To transfer money from one account to another

Exchanging

To change coin, money and banknote

Introduction to payments

From barter to mPayments

► The transfer of an item of value from one party to another in exchange for the provision of goods, services or both or to fulfill a legal obligation

► Payments are frequently preceded by an invoice and result in a receipt

Neolithic Age 10.000 years ago Lydia (Turkey) 7th Century BC United States 20th century Worldwide 21th century 3

(4)

Credit Card based payments

Evolutionof “plastic” money

► Embossed Credit Card

 Payment data raised or relief in metal

 Easy to clone, data cannot be updated, short live ► Magnetic Stripe Credit Card

 Payment data is stored by modifying the magnetic particles of the magnetic band

 Easy to clone, data cannot be updated, short live

► Chip Credit Card

 Payment data is stored in high-secure tamper resistant ICs

 Impossible to clone, data can be updated on-demand, long live

► Contactless Credit Card

(5)

Trainings

Credit Card based payments

Payment transaction 1- Present Card 2- Card and transaction info Cardholder Merchant Issuer Bank

Acquirer Bank Payment Network

3- Auth request (transaction info) 4- Auth request (transaction info) 5- Auth response 6- Auth response 7- Transaction result $$$ $$$ Settlement Bank 5 Offline operation Online operation

(6)

Credit Card based payments

Payment card schemes

► Global Payment Card Schemes

 Magnetic Stripe

 RuPay: Rupee Payment

 PBOC: People´s Bank of China

EMVCo: Europay Visa MasterCard

► EMV Fraud Reduction numbers

 Europe (EMV Continent)

 36% overall drop in fraud over 5 years  UK fraud drops 69% over five years  Fraud basic point drops 25% in France  US (only non-EMV G20 Country)

 $6.1 billion fraud losses in 2012

 Potential $44.8 billion fraud losses over the next 5 years

(7)

Trainings

Credit Card based payments

EMV Specifications 7 VSDC ISO 7816 – 1/2/3/4/5 specifications EMVCo 1, 2, 3, 4 books M/Chip 4 Others

► EMVCo is currently governed by Visa, MasterCard,Amex, Discover, JCB & CUP

► EMVCo books define debit, credit and prepaid payment systems for IC based transactions

► EMVCo Contactless books provide extension for contactless transactions

► EMVCo defines two certification levels:

 Level 1: physical, electrical and transport level interfaces

 Level 2: payment app selection and credit financial transaction processing

PayWave

ISO 14443

EMVCo Contactless A, B, C, D books

PayPass Others

(8)

Credit Card based payments

EMV Transaction Flow

Application Selection

Identify mutually supported Application Identifiers (AID)

Card Authentication Method

Static, Dynamic or Combined Data Authentication

Card Verification Method

Online PIN, Offline PIN, Signature, no CVM

Card risk analysis

Online / Offline transaction

Validation by the card of the online processing

Completion and script processing by IC

Online Transaction authorization

(optional)

POS risk analysis

Online / Offline transaction

Merchant Acquirer Bank Payment Network Issuer bank Cardholder

(9)

Trainings

Credit Card based payments

EMV Transaction Flow

9

► Sensitive Data is exchanged among entities through public networks

► Hardware and Software (POS, Routers, Firewalls, …) can be corrupted Application Selection

Identify mutually supported Application Identifiers (AID)

Card Authentication Method

Static, Dynamic or Combined Data Authentication

Card Verification Method

Online PIN, Offline PIN, Signature, no CVM

Card risk analysis

Online / Offline transaction

Validation by the card of the online processing

Completion and script processing by IC

Online Transaction authorization

(optional)

POS risk analysis

Online / Offline transaction

Merchant Acquirer Bank Payment Network Issuer bank Cardholder

Offline operation Online operation

(10)

Credit Card based payments

Payment Card Industry Security Standard Council

► The PCI Security Standard Council is focused on the security of the payment industry ecosystem

(11)

Trainings

Credit Card based payments

Summary

► Credit card payments and mobile payments have a lot in common

► Payments ecosystem is composed by the following entities

 The cardholder, the merchant, the issuer bank, the acquirer bank and the payment network

► Chip and PIN cards provide the most secure and convenient credit card solution

► EMVCo is the international standard for chip based credit cards.

► PCI Security Standard Council is in charge of the security of the whole ecosystem

(12)

Introduction to mobile payments

Mobile payment schemes and market status

► Payment services performed from or via a mobile device

► Mobile payments adoption forecast

 Up to 20% of current retailing payments come from mobile channels.

 By 2020, 50% of transactions will be performed by a mobile phone.

► Four primary models for mobile payments

 Premium SMS based transactions

 Direct Mobile Billing

 Mobile web payments

(13)

Trainings

NFC based payments

The technology in a nutshell

► Payment data stored in our mobile device

► NFC enabled mobile devices used as payment cards

 Proximity communication and difficult to spy (2cm)

► Transactions are carried out in the same way

 No impact on security

 Compatible with current standardized infrastructure (POS)

► Advantages of a NFC phone compared to a card

 Processing power & memory

 Connectivity

 User interface

 Battery

► EMV Application Activation User Interface for Wallet applications

 Describes how to enable/disable payments applications from Wallet apps

(14)

► The NFC device can emulate a card using:

 Secure Element: high secure and tamper resistant microcontroller in the device,

 Widely deployed solution  Form factors: uSD, eSE, UICC

 Host Processor: main processor of the device where the OS and applications reside

► The NFC Controller forwards each APDU according to its Routing Table

NFC based payments

Card Emulation configurations

App Processor (Host) NFCC SE HCI / SWP NFC - WI HCI / NCI

(15)

Trainings

NFC based payments

Secure Element based payments

► A specific IC to handle and store sensitive data

 Non-Volatile Memory

 Security CPU

 Crypto co-processors

► Protected through cryptographic keys

 Only authorized entities can access the SE

► Protected against tampering & attacks

► Secure IC validated by third parties certification, i.e. Common Criteria

► Same family of product as used in payment cards, e-Passports…  Proven secure mass market products

(16)

NFC based payments

Secure Element based payments - Specs

► GlobalPlatform specs define the management of multi secure

applications and the messaging for the personalization, security key management and application loading on the SE

 Specs are independent of the final applications

► EMVCo is the standard for secure chip based payments

► Payments applications are certified together with the hardware and software on top of which they are executed

(17)

Trainings SP-TSM SE-TSM MNO/Retailer OEM Service Provider OEM Secure Element Manufacturer

NFC based payments

Secure Element based payments - Ecosystem

Service Prov MNO Silicon Manufacturer UICC eSE uSD Physical flow Logical flow Customer 17

(18)

NFC based payments

Card instantiation and selection procedure

AAUI (Wallet) Secure element PPSE AID: “2PAY.SYS.DDF.01 MMPP Instance 1, Prio: 2 AID: A000000004101001 MMPP Instance 2, Prio: 1 AID: A000000004101002 VMPA Instance 1, Prio: 3 AID: A000000003101001 VMPA Instance 1 AID: A000000003201001 Select |2PAY.SYS.DDF.01 A000000004101001, 3; A000000004101002, 2; A000000003201001, 1; Select A000000003201001 Activate / Deactivate Payments applets

TSM

Creates and maintains instances of mobile

payments applets

Create applet Instance Update PPSE with new

instantiated AID

MMPP Instance 1, Prio: 3 AID: A000000004101001 MMPP Instance 2, Prio: 2 AID: A000000004101002 VMPA Instance 1, Prio: 0 AID: A000000003101001 VMPA Instance 1, Prio: 1 AID: A000000003201001

(19)

Trainings

NFC based payments

HCE based payments

► Sensitive information is stored in the Host Processor or in the Cloud

 More memory available via host versus secure element

► Application/service providers and end users get (more) control

 Versus eSE/ UICC models under control of OEM’s / MNO’s

► It may accelerate the deployment of NFC services (Simpler ecosystem)

► “more-simple-but-less-secure” card emulation

► Endorsement of HCE payments by VISA and MasterCard

► EMV Payment Tokenization Specification (March 2014)

► Certification, a big job ahead …

(20)

NFC based payments

HCE based payments - Tokenization

► Tokenization: replacement of sensitive data with a unique identifier that cannot be mathematically reversed.

► PCI mandates PAN’s not to be stored on non PCI DSS

compliant devices

► Must be monitored in real time, which forces always online authentication at POS

Token Service Provider Token Auth Request Token Auth Request Token Auth Request Token + PAN De-tokenization Auth Response PAN Auth Response Token + Last4digPAN Auth Response Token + Last4digPAN Merchant Acquirer Bank Payment Network Cardholder

(21)

Trainings

SP-TSM? SE-TSM?

Traditional eco-system

NFC based payments

HCE based payments - Ecosystem

Mobile Application HCE/cloud based payments Mobile Application Manager HCE/cloud-based payments platform 21

Merchant Acquirer Bank

Payment Network Issuer bank

(22)

NFC based payments

SECE vs HCE

► Advantages of the SECE

 It is a provable secure solution

 Fully standardized

 Specs and Certification processes validated  Well-known ecosystem

 Works with Offline POS infrastructure

 Meets timing requirements for POS redemption

► Advantages of the HCE

 It does not require specific hardware

 Issuer centric business model

 Ideal for small service providers  Bigger memory capacity

(23)
(24)

mPOS solutions

Market status and forecast

► mPOS adoption is expected to increase to 38 million by 2017, with a forecast CAGR of 42.7% largely driven by retailing sector

► By 2017, the adoption of mPOS terminals over standard POS terminals will be 46% as opposed to the 17% in 2012.

0 1 2 3 4 5 6 2012 2013 2014 2015 2016 2017 2018

mPOS proximity payment value

(25)

Trainings

mPOS solutions

mPOS system architecture

► Mobile is revolutionizing the traditional retail market

 Consumers and merchants increasingly interact in-store using tablets and/or integrated tablet systems

► mPOS devices require a connection with another mobile device, be it a handset, tablet, or PDA.

25 MAIN CONTROLLER UNIT Contact reader IC Contactless reader IC MagStripe HW

Display Ext Memory

SRAM, Flash

Keypad

Battery

PMU Secure Bat

(26)

mPOS solutions

Specifications and Certifications

► mPOS terminal requirements to be EMV Certified

 Contact & Contactless Level 1, Level 2

► mPOS terminal requirements to be PCI Certified

 PCI Data Security Standard (DSS)

 PCI Payment Application (PA) Data Security Standard (DSS)

 PCI Pin Transaction Security (PTS)

 PCI Pin Transaction Security (PTS) for Point of Interaction (PoI)

 PCI Point to Point Encryption (P2PE)

(27)
(28)

Mobile NFC ICs

NFC Controllers + Secure Element

PN547

EMVCo 2.0 compliant 50% smaller footprint 50% power consumption reduction

Cortex M0 uC SWP interface supported

Largest operating range

NFC Controllers

PN65T

Stacked IC solution including PN547 and Smart MX2 (P61N1M3)

(29)

Trainings

NFC Reader ICs

►Low cost RF front-end IC

►NFC compatible with FeliCa, NFC-IP1, ISO/IEC14443 A & B support ►Full NFC device (Read/Write, Card Emulation, full P2P)

Dedicated booster for EMVco (VISA, MASTERCARD) RF compliant

►Highest RF output power front-end IC paired with intelligent low power card detection ►Support of all major 13.56 MHz standards

►NFC-Ready device (Read/Write, P2P Passive Initiator)

EMVco (VISA, MASTERCARD) RF compliant without dedicated booster

(30)
(31)

Trainings

ISIS Mobile Wallet

Secure Element based Mobile Wallet

► Joint Venture among AT&T, T-Mobile and Verizon Wireless

► Submit payment and loyalty information in only one tap

► Visa, MasterCard, Amex, Barclaycard US and Discover Network

► SIM/UICC is used as the Secure Element

► Users can remotely suspend their account in case of loss

► Commercial launch in the United States

(32)

► Spain-based Bankinter bank together with Spanish Seglan company has developed a HCE solution for EMV payments

 “Risk assessment' process performed by Fraunhofer AISEC laboratory‘

► Bank Royal of Canada has introduced an NFC mobile payments service that stores customer’s cards details in the cloud

 Its EMV-enabled Secure Cloud service uses the Secure Element to store tokens.

Bankinter & BRC Mobile Wallets

(33)

Trainings

► Google Wallet version 1.0

 Released in September 2011

 Google, MasterCard, Citibank and NXP joined the project

 All credit card information stored in the SE

► Google Wallet version 1.5

 Released in August 2012

 Support for all major credit cards: Visa, American Express, …

 Cards data stored in Google’s highly secure servers

 A virtual card ID is stored in the SE, which is used for transactions

► Google Wallet version HCE

 Released in March 2014

 Google goes HCE and ends support for physical SE

Google Wallet

Moving from SE to HCE based Wallet

(34)
(35)

Trainings

Mobile Payments

Summary

► Mobile payments market share to significantly increase in the incoming years

► NFC based payments are compliant with traditional card based ecosystem

 Well-known ecosystem defined for many years

 Mobile devices provide new features

► EMVCo is the international standard for NFC mobile payments

► Two main configurations are available: SE and HCE based payments

► Mobile devices to be used also as mPOS devices

► NXP is offering the widest portfolio in the market

► Successful mobile payment applications are already in the market

(36)

MobileKnowledge

Thank you for your attention

We are a global competence team of hardware and software technical experts in all areas related to contactless

technologies and applications.

Our services include:

► Application and system Design Engineering support

Project Management

► Technological Consulting

► Advanced Technical Training services

We address all the exploding identification technologies that include NFC, secure micro-controllers for smart cards and mobile applications, reader ICs, smart tags and labels, MIFARE family

www.themobileknowledge.com

(37)

Trainings

Thank you for your kind attention!

► Please remember to fill out our evaluation survey (pop-up)

► Check your email for material download and on-demand videoaddresses

► Please check NXP and MobileKnowledge websites for upcoming webinars

and training sessions

www.nxp.com/products/related/customer-training.html www.themobileknowledge.com/content/knowledge-catalog-0

NFC Application  Mobile Payments

Gorka Hernando (Speaker) / Eric Leroux (Host)

References

Download now ( PDF - 37 Page - 2.80 MB )

Related documents

PhenoRank: reducing study bias in gene prioritisation through simulation

The scores computed by PhenoRank-NoSimulation are similarly correlated with network degree and the number of associated sources of phenotype data, whilst the gene

Mating dynamics of Scots pine in isolation tents

Supplemental pollination can reduce pollen contamination to a detectable extent, but is primarily used to introduce new parents into a seed orchard population at a reasonable

Technical Sensoriums: A Speculative Investigation into the Entanglement and Convergence of Surveillance and Technology

While epistemology is the study of how we can know the world, ontology is the study of what kinds of things there are in the world that can be the object of such knowledge. As

Fretboard Roadmaps Bluegrass and Folk Book

(D is three frets lower than F, and C is five frets lower. If D is right for your voice, you could play in D without a capo, or play in C with the capo on the second fret.).

Resource and environmental impacts of using second-hand laptop computers: A case study of commercial reuse

With these LCIA-methods specifically, 38–44% of laptops’ metal resource use is functionally recycled in the second-hand laptop alternative ( Fig. With other LCIA-methods, that give

University of Groningen. Changing images of cytomegalovirus infection Maar, Eltjo Fredericus de

To investigate the role of plugging of cytomegalic endothelial cells (CEC) in the pulmonary capillary bed we prospectively determined specific carbon monoxide dif- fusion

Interactions between non-profit finance, governance and investment style

Foundation age and size are related to the equity allocation of foundations’ portfolios: older and larger foundations diversify more along the lines of the market index breakdown..

RBA idirekt INTERNET BANKING MANUAL for Business Entities

 My Bank – sending messages to the Bank, review of received and sent messages; possibility to review and download notifications on inflow and SWIFT messages; placing and