1UL and the UL logo are trademarks of UL LLC © 2015

Making Cloud-Based Payments a reality

Arman AygenRegional Sales Manager

30 September 2015

2

Agenda

Mobile Payment StrategyScope and DevelopmentTesting and CertificationSecurity and Risk Assessment About UL

Current landscapeVision Strategy

3

5

Car

d P

rese

nt

Car

d N

ot

Pre

sent

Non

-Car

d P

aym

ents

Tokenization is necessary but not sufficient

Go Digital

6

Current landscape

Proximity paymentsPOS – mPOSFragmented Mobile ecosystem Remote payments Peer to peerValue added services

7

Assessing the impact

• Provisioning / Card profile

• Card Management System

• Authorization host

• UI / app / wallet

• Customer care / support etc.

8

9

Agenda

Mobile Payment StrategyScope and DevelopmentTesting and CertificationSecurity and Risk AssessmentAbout UL

Design & specificationsVendor vs In-houseDevelopment

10

What is ‘cloud-based mobile payments’?

SE in the phoneReceives a secret onceand keeps the secret safe for 3 years!

10010101011001110010010110011100101

SE in the cloudGenerates a secret prior to every transaction & uploads it to the phone

Different concept…

..same user experience

‘Tap and Go’: same user experience for cloud and non-cloud based NFC payments

11

Strategic choices

Backend integration•The issuer should integrate their backend to the xDES•Real time data handling and responses

Enrollment and Card provisioning•All processes and action for pre-digitization•Build internal support for pre-digitization and activation

Payment Transactions•Business as usual, receiving original PAN•Authorize transactions without crypto validation

Key decisions before implementating a mobile solution

12The battle between Legacy & Innovation is also being fought “under the water”

Infrastructure Space

Core banking sys.

MDES / VTS

Tokenization

APIs

Biometrics

HCE

Device fingerprint

White-box crypto

Product SpaceApple Pay

Google Hands Free

Android Pay

13

Agenda

Mobile Payment StrategyScope and DevelopmentTesting and CertificationSecurity and Risk Assessment About UL

14

Testing each components in the product System under test

Payment Network

Aquirer

Cloud Based System Issuer

Internet

Merchant POS

Mobile Device

Issuance

Transaction

Cloud-based solution

HCE MPA

• MPA • Cloud based system

• Issuer (Card management system)• Issuer (Authorization system)• Issuer (Card profile)

Systems Under Test

15

Ensuring interoperability on different levels

Objective 3• Ensure all functionalities of the

different mobile payment solution works correctly within one handset

16

Agenda

Mobile Payment StrategyScope and DevelopmentTesting and CertificationSecurity and Risk AssessmentHow can UL help?

17

PublicNetwork

Cloud Platform

Issuer Processing

Host S

ystem

Personalization backend

Application

Refreshment / Updatebackend

Mobile App Assets

CLF

Routingtable

SE

UI

Secure

OS

Rich OS

Application

HCECloud Assets

Cloud-based Payments.Security Evaluation – System Under Test.

Required bySchemes

Don’t forget the cloud

Provisioning, Account management. Life Cycle management

End User perspective

attacks

O.S. Attacks

U.I. Attacks

Pen -Testing

17

18

Listen to your customers...

19

Ensuring payment securityis one of highest priorities and security

in cloud-based payments is no exception

Since 2014, UL is a Visa, MasterCard and AmericanExpressCloud-based Mobile Payment Security Evaluation Laboratory

20

Agenda

Mobile Payment StrategyScope and DevelopmentTesting and CertificationSecurity and Risk AssessmentAbout UL

21

Safeguarding Security, Compliance and Global Interoperability

21

22

23

THANK YOU.UL – Innovation Seminar : Payment industry vs Silicon Valley

SF – Sept 9th 2015 Singapore – Sept 18th 2015Leiden – Sept 25th 2015 Sydney – Sept 15th 2015

UL – Security SeminarShenzhen - Oct 20th, 2015 San Jose - Oct 21st, 2015Atlanta - Oct 23rd, 2015 Leiden - Oct 27th, 2015Dubai - Oct 29th, 2015

UL – Mobile Payment MasterClassLeiden – Sept 21st, 2015 Barcelona – Oct 13th, 2015Zurich – Oct 19th, 2015 Croatia – Nov 10th, 2015Dubai – Nov 17th, 2015 Singapore – Dec 9th, 2015Sao Paulo– Dec 9th, 2015