TSM Point of View and Issues Faced
EC/ETSI Workshop on Collaborative
confidential
EC/ETSI Workshop on CollaborativeEcosystem for M-Payments
Sophia Antipolis, France, 1.7.2014
Lauri PesonenGiesecke & Devrient
1. Mobile Payments Landscape
2. Secure Elements Based NFC Ecosystem for Mobile Payments
3. Basic Information on HCE/Cloud Based Mobile Payments and Trusted Execution Environment (TEE)
4. Summary and Conclusions
Contents
Page 2Company confidential
4. Summary and Conclusions
Fueled by Smart Phones, Mobile Financial Services are being launchedMobile Payments market is diverse with many different solutions
In-store Payments (at POS)
Online Payments
In-app Payments
P2P Payments
Card Payment Schemes
Credit, Debit, Prepaid
Visa, MC, Amex, …
Local debit
Payments from Bank
Account
PayPal
NFC
QRCodes
BLE
HTTP
Secure Element
TEE
SW Security
Cloud
Payment Services Payment Schemes Connectivity Security
Page 3Company confidential
Loyalty
Coupons, offers
Mobile Marketing
Ticketing
PayPal
Other payment schemes
Other ServicesMobile Payments on one hand re-use
the existing payment services & infra,
and on the other hand exploit the
capabilities of mobile devices to adapt
the existing services and to create
completely new services
Important Requirements for Mobile Payments
Consumer Experience
Security Standards, Open Specs
Availability
Page 4Company confidential
Scalability
Cost
Value Add Services
NFC stands for Near Field Communication
NFC is a contactless technology
� Standardized contactless card mode ISO 14443 NFC air interface ISO 18092
� Compatible with contactless payment terminals
� Compatible with other contactless
What is NFC?
NFC enables touch based mobile services
Page 5Company confidential
� Compatible with other contactless infra, such as ticketing and access control
NFC is mainly deployed in mobile devices
NFC enables mobile contactless applications, e.g. payment, ticketing, loyalty
NFC uses a Secure Element (SE) as a processor and storage for security sensitive applications, such as payment and ticketing
Mobile NFC EcosystemSecure Element Enables Secure Mobile Applications
TRANSPORTCOMPANIES
PUBLICAUTHORITIES
SERVICEPROVIDERS BANKS VENUESRETAILERS
ONLINE SERVICES
Use of SE APPLICATIONS for online services
TRUSTED SERVICE MANAGEMENT
MOBILE SERVICES Issue SE applications
Issue Secure Elements
MNOs
STRONG AUTHENTICATIONMOBILE BANKINGREMOTE PAYMENTS
SEISSUERSOEMs
OTA
SP TSM
OTA
SEI/MNO TSMGlobal Platform API
Page 6Company confidential
SECURE ELEMENT (SE):• Multi-application smart card chip
in the NFC device• Different form factor alternatives
issued by MNOs or other parties• Stores smart card applications
issued by Service Providers
SIM microSDEmbeddedSE
Use of SE/NFC APPLICATIONS in proximity infrastructure
NFCPAYMENTLOYALTYCOUPONSTRANSIT TICKETING EVENT TICKETINGACCESS CONTROLSERVICE DISCOVERY
for online services
• OTA management of secure elements
• OTA provisioning of SE applications
• OTA life-cycle mgmt of SE applications
TSM provides secure aggregating services for
OTA
Accessory
PROXIMITY SERVICES
OTA
MobileWallet
Leveraging contactless acceptance infrastructure and mobile services NFC provides value for business stakeholders and consumers
� Role of multi-application Secure Element issuer
� NFC as a new channel to existing operator services
� New NFC based services� New customer acquisition, retention
of existing customers
MOBILE OPERATORS
� Leverage existing contactless ticketing infra to introduce mobile ticketing
� Cost efficient OTA ticket issuance� More customers, less free riders� Mobile channel – new and convenient
services to commuters
TRANSPORT OPERATORSCONSUMERS
with NFC phone
Page 7Company confidential
� Part of mobile channel – portfolio of mobile financial services supported by frequently used payments
� Leverage existing contactless acceptance infra to introduce mobile payments
� New customer acquisition, retention of existing customers
BANKS MERCHANTS
� Mobile loyalty and CRM programs – enhanced consumer experience, profiling with opt-in usage
� Leverage the investments in contactless acceptance
� More customers, more business
• Always with you• Online services• Proximity interactions• Customized Experience• Multiple services
NFC Mobile Payments leverage existing card payments infrastructure
TSMIssuer
Account Mgmt
Issuer Auth Host
Issuer Issuance of Mobile Payment Card (debit, credit) to NFC Phone with Secure Element
Contactless payment
Page 8Company confidential
C’less POS Terminal
End User
Acquirer
Wallet
SecureElement
NFC
PaymentApplet
Contactless payment transaction in the existing payment acceptance and processing infrastructure
Secure storage and processing of payment credentials
Trusted Service Management framework in the NFC Ecosystem
Management of SP applicationsSERVICE PROVIDER ”DOMAIN”
TSM services to SPs
� Key management of SPSD� Loading of SP applet into
SPSD (depending on SSD conf.)
� Data preparation of SP applet
CA
Controlling Authority
GP TSM Messaging Interface
NFC Application Management
(SP TSM)
Service Provider Systems
Management of Secure ElementsSEI “DOMAIN”
SEISystems
SE Manager functions
� Eligibility checks� Creation of security domains (SPSD) on
SE for Service Providers� Authorization of which applets can be
loaded into SE / SSD (GP Delegated
SE Management (SEI TSM)
TSM TSM
Page 9Company confidential
SE (SIM/other)
ISD SPSD
ServiceProviderApplet
NFC UsageUse of NFC applications at contactless acceptance infrastructure for payment, ticketing, loyalty etc.
MobileWallet
Use of SE APPLICATIONS for online services
� Data preparation of SP applet� Personalization of SP applet� Life-cycle management of SP
applet: lock, unlock, delete� Notifications between SEI and
SP domains
Over-the-Air (OTA)
loaded into SE / SSD (GP Delegated Mode)
� Loading of applets (GP Simple Mode)� Deletion of applets (GP Simple Mode)� Subscription/SIM/handset life-cycle
management in relation to NFC service� Notifications between SEI and SP
domains
NFC
TSMs are Trusted Service Aggregators in the NFC Ecosystem
Page 10Company confidential
� TSM’s primary role is to provide secure services for provisioning and life-cycle management of consumer’s NFC applications on secure elements, after the consumer has purchased NFC phone
� TSMs provide service aggregation on behalf of secure element issuers and service providers
� TSM’s role is to be technology agnostic and to support different mobile devices and secure elements
GlobalPlatform is the de-facto standardization body for TSM interoperability
� Role of GP
� GlobalPlatform is a member-driven association with good representation from all stakeholders across the NFC ecosystem and related markets. Using this wealth of knowledge and adopting a collaborative approach, GlobalPlatform has been able to assess the business requirements of each industry sector and develop specifications that promote universal messaging that is adaptable to support all business models and use cases.
� Two specifications & one configuration framework have been released by GlobalPlatform to date
� Web Services Profile for GlobalPlatform Messaging Specification v1.0.
� GlobalPlatform’s Specification for Management of Mobile NFC Services v1.0, 1.1, 1.1.2
� E2E Simplified_Service_Management_Framework_v1.0
Page 11Company confidential
� E2E Simplified_Service_Management_Framework_v1.0
� Support & alignment
� The GlobalPlatform Mobile Messaging Specifications align with, and meet the requirements of key industry associations including the European Payments Council (EPC), GSMA and use cases from the Association Française pour le ‘Sans Contact’ Mobile (AFSCM).
� Work in progress
� Compliance Program: GlobalPlatform will align its compliance program to support the end-to-end framework. It will test products against current specifications for cards and devices, and then use the framework as a potential uses case to test the end-to-end deployment.
Market Status for NFC/SE based Mobile Payments
� A large number of NFC mobile payments projects implemented worldwide during the last years, using secure element of the NFC device for payments
� Many projects have gone live for commercial service stage, additional projects are being prepared for commercial launch
� NFC handset availability has significantly improved, except for Apple / iPhone
Page 12Company confidential
� NFC handset availability has significantly improved, except for Apple / iPhone
� Contactless payment acceptance infrastucture is also growing
� Specifications and standards existing, many vendors offering compliant products and services
� However, the consumer uptake for the launched NFC services is low
Considerations on the issues and challenges for SE based NFC Mobile Payments
� Relatively high complexity of the ecosystem with multiple stakeholders and a number of interconnecting systems/components
� Different views between stakeholders on the fees for NFC enablement
� Competing interests on mobile wallets, i.e. who provides the wallet to consumers
� Even if consumers have NFC enabled mobile devices, secure element access is not granted – for many markets NFC SIMs are not yet a mainstream SIM product, embedded
Page 13Company confidential
granted – for many markets NFC SIMs are not yet a mainstream SIM product, embedded secure elements not available
� End-user process for applying for NFC services can be cumbersome
� Lack of additional NFC mobile services in addition to payments
� Low consumer awareness of NFC services
Google announced Host Card Emulation on Android 4.4 end of October – since then it has generated substantial interest in HCE enabled cloud payments
Card Emulation with SE:
Android App(Wallet / UI)
Host Card Emulation:
Android App Data Centre
Android-, BB-, WP- handset with NFC Android OS4.4 with NFC
Page 14Company confidential
SecureElement NFC
Controller
The SE itself performs the communicationwith the NFC terminal, no Android APPis involved in the POS transaction
With HCE the Android APP communicates with the NFC terminal, or alternatively routing communication between a cloud server and terminal (Android APP as proxy)
NFCController
Mobile Contactless Cloud Payments
� Definition : cloud payments mean a mobile contactless payment transaction at POS, whereto payment credentials are managed in cloud and accessed via mobile device to conduct the payment transaction
� Basic Concept
� Cloud payment does not use secure element on mobile device
� Cloud stores payment credentials which can be used for generating ”payment tokens” for POS payments
� Wallet accesses the Cloud Payment Service to request payment tokens to be used for POS payments
Cloud Payment Service
Issuer Account Mgmt
Issuer Auth Host
Acquirer
Issuer
High Level Cloud Payment Solution
Page 15Company confidential
� Wallet emulates the payment card and uses payment credentials / tokens received from cloud, when transacting with POS – SW based and system-wide security, online authorization of payment transactions
� No changes required for POS terminal or Acquirer
� No connection to Cloud during the payment transaction –Wallet interacts with Cloud prior to the payment transaction and downloads payment credentials / tokens that can be used for one or multiple payment transactions
POS Terminal NFC enabled
Smartphonewith HCE
End User
Wallet
NFC
Note – Issuer Account Mgmt is a collective term and represents various issuer systems that are relevant for mobile payments service
Cloud Client
Smart Connected Device Processor
Normal World Secure World
Rich OS
Trustlet Connector
App nApp 2App 1
Trusted Execution Environment
The Concept of Trusted Execution Environment (TEE) - Securing Apps
HardwarePeripherals� User Interface like
touchscreen and keypad
Secure OS
SecuredApp n
SecuredApp 2
SecuredApp 1
TEE TSM
OTA Life-Cycle Management of Secured Apps
Page 16Company confidential
Rich OS
TEE Driver Kernel Module
TEE provides an extended security scope
SIM / eSE / SD Card
Embedded processor & data storage
Microkernel
Runtime Mgmt.
Crypto Driver
Keypad Driver,
etc.
Summary & Conclusions
� Mobile Payment landscape is diverse with multiple solutions on the market and additional being introduced
� NFC & Secure Element enabled mobile payments are a standardized and secure solution, which effectively use existing contactless payment acceptance infrastructure for card payments
� Significant NFC project activity during the last years worldwide
� Consumer takeup of mobile NFC services, including payments, still low
Page 17Company confidential
� Consumer takeup of mobile NFC services, including payments, still low
� Ecosystem complexity and business issues are the main challenges for NFC & Secure Element based mobile payments – these are to be further addressed
� Cloud based payments on HCE/NFC enabled devices are emerging
� Collaboration across industries important for the creation of a sustainable and widely used mobile payments ecosystem
Thank You!
Lauri PesonenGroup Vice President, Global Head of BL NFC
Page 18Company confidential
Group Vice President, Global Head of BL NFCBU Mobile SecurityGiesecke & Devrient