Smart card to the cloud for convenient, secured nfc payment

Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.

Smart Card to the Cloud for Convenient, Secured

NFC Payment

KONA I


Who We Are?

Sazzadur Rahaman

Software Engineer and Team Lead @ KONA SL

Image Source: http://the9gag.com/top-rated/4am-programmer-room-4440


Who We Are?

Md. Sanoar Hossain Khan

Senior Software Engineer and Development Project Manager

@ KONA SL


Outline

Payment Systems in Action: A Bird’s Eye View

Moving Smart Cards to the Cloud: The Era of HCE

Birth of Kona Pay: A New Payment Platform in Town

A journey with Kona Pay: Joy of Smashing Challenges

Kona Pay into the Wild: From Korea to USA

Q/A


Payment Systems in Action:

A Bird’s Eye View


acquirer

Payment System Overview

Payment Network Issuer

E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone


acquirer

Payment System Overview – Transaction Flow


E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone

1

3

2

4

5


acquirer



E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone


acquirer



E Commerce POS

Merchant

Card Holder

Plastic Card

Mobile Phone


Smart card

Magnetic Cards vs Smart Cards

Smart card components

Secure

IC

Chip

(SE)

Contactless Smart card

Secure

IC

Chip

(SE)

Magnetic Stripe Card

Open magnetic stripe

Service

applet

User

data

NFC

radio

User

data


Standard NFC Cards and Mobile-based Card

Same components in different form factor

Smart card

IC Chip

(SE)

Service

applet

User

data

SE

NFC

• SE Provider providing SEs (generally MNOs)

• Service Provider providing Services to the

consumers (generally Banks)

SWP

End-User

mobile

handset

Convenient than the other form factors


Need for Trusted Service Manager

oManages Secure Element

o Arranges data exchange and business

relationships among stakeholders

oGenerates Security Domains (SDs).

Manages Keys used in generating SDs.

Service Providers can safely and

independently manage their services.

oMakes service provisioning simpler.

Therefore achieves services activation

in a short period of time

Trusted

Service

Manager

SE

Provider

1

SP 1

SE

Provider

2

SE

Provider

3

SP 2

SP 3

Service

applet

User

data

Service

applet

User

data

Service

applet

User

data

Still the ecosystem is more complex than previous


Moving Smart Cards to the Cloud:

The Era of HCE


SE-less mobile card: Host Card Emulation

Concept of Host Card Emulation

Transaction processing before

HCE

Additional Option with HCE

With Google Android 4.4 and above, the NFC controller communicates with host OS first,

allowing it choose where to request applet and user data, and bypass the SE if required.

Service

applet

User

data

Secure

Element

Local storage

Internet

?


Security via Tokenization

Issuer (Bank)

Token Server User’s PAN, expiry date etc.

Token

Token

Vault

Token

Generator User

mobile

1. Static Parameters

2. Dynamic Parameters


Security via Tokenization

Token’s use during transactions

Issuer (Bank)

Token Server

User

mobile

User’s PAN, expiry date etc.

Token

Token

Vault

Token

Adapter

During a contactless payment transaction they travel through the POS to the Issuer system. The Issuer

sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid,

authorizes the transaction.

POS

Acquirer bank

Authorization

6

1

2 3

4

5


Different flavors (models) of HCE

Mobile Device

Mobile OS

HCE APIs

Service applet

(agent)

NFC Controller

User data

Model—1

• Applet in Cloud

• User data and keys

in Cloud

Model—2

• Applet in OS

• User data and keys

in OS

Model—3

• Applet in OS

• User data in Cloud

Model—4

• Applet in OS

• User data in Cloud

• Token downloaded

to OS

Model—5 (SE-biased)

• Applet in OS

• User data in SE

Mobile Device

Mobile OS

HCE APIs

Service

applet

(agent)

NFC Controller

User data

Mobile Device

Mobile OS

HCE APIs

Service applet

(agent)

NFC Controller

Mobile Device

Mobile OS

HCE APIs

Service

applet (agent)

NFC Controller

Token

Mobile Device

Mobile OS

HCE APIs

Service applet

(agent)

NFC Controller

SE User

data

User

data

User data


Birth of Kona Pay:

A New Payment Platform in Town


Issuer / Bank

In-store payment

using plastic card Online payment

Plastic card issuance Tokenization

Mobile Card Issuance

In-store payment

using Mobile card In-App Payment

Multiple business and technical arrangements


Merchant: Online Fraud – Liability Shift

Fraud & Liability

• Potential Data Breech

Phishing, Key logging, etc.

Hacking Card on File (CoF)

Transaction data modification or interception

• Key Liability towards Merchant

Need to secure e-Store, CoF and Transaction

Online Shopping

• Manually enter Card info

User inconvenient

• Store Card info in online account

Merchant need to support Card on File (CoF)

• Online Transaction

Mag-stripe transaction


User

• Lots of Credit

Card, ID Card,

Coupons, etc…

• Different credit

card, different

PIN.

• Input credit card

information manually

• Trust Merchants with

Credit Card Info

• Insecure online

transactions.

• Multiple vouchers,

coupons, gift cards,

etc.

• Need to carry those

around physically.

• Longer card delivery

time.

• Card cloning.

• Constantly check for

suspicious transactions, notify

the bank.

• Hassle to block the card and

get a new one, also the

reimbursement of the money

from bank.


Converging Factors

Single Payment Platform

ALL

Form Factors

ALL

Provisioning Modes

ALL

Payment Modes

ALL

Security Measures

Plastic contact card

Plastic contactless card

N Card

SE (UICC, mSD, eSE)

Host card emulation

Central mass perso

Instant perso

SE/HCE OTI or OTA

SE/HCE (post) issuance

OTI/OTA

In-store: plastic cards

In-store: SE/HCE mobile

In-app: SE/HCE mobile

In-app/remote: plastic

contactless using NFC

EMV

Tokenized plastic card

Whitebox crypto, LDE

PKI

FIDO, TEE (in roadmap)

* N Card is dual interface plastic card, supports both contact and contactless, can store multiple credit cards,

gift/loyalty/coupons, transport card, etc., can be (post) personalized using mobile wallet and used to make in-store as well

as in-app transaction using NFC between the card and mobile.

** Tokenized plastic card does not store the original PAN inside, rather an alternate PAN which generates cryptogram for

the issuer to verify.


Converging Factors

Single Wallet

N Card SE (UICC, mSD, eSE) Remote Payment HCE

• N Card is dual interface plastic card

• Supports both contact and contactless

• Can store multiple credit cards, gift/loyalty/coupons, transport

card, etc.,

• Post personalized using mobile wallet

• Supports in-store and in-app transaction using NFC between the

card and mobile.


Payment Network

Acquirer

User

POS Remote Payment

Gateway

Mobile Application

TSM

Mobile Application Platform Cloud Platform

Voucher Issuance System Card Issuance System

Token Service Provider

Transaction Management System

Issuer CMS

Card

Components of Kona Pay

Service Manager


Personalization Flow

Issuer Authorization

System

Service Manager

Card Issuance System (Data

Prep)

Raw Data

Issuer

Perso Machine

• Plastic Cards


Perso)

P3 data




System

Service Manager


Prep)

Raw Data

Issuer

Perso Machine

Token Service

Provider

Secure Server

Tokenized Plastic Cards


Perso)

P3 data



Mobile Application


System

Cloud Platform

Service Manager

MAP Card Issuance System (Data

Prep)

Raw Data P3 data

HCE applet

Issuer

Mobile

Token Service

Provider

Secure Server

Internet



Mobile Application

TSM


System

SE

Cloud Platform

Service Manager


Prep)

Raw Data P3 data

Issuer

Mobile

Token Service

Provider

Secure Server

Mobile App Platform



Mobile Application

TSM


System

Cloud Platform

Service Manager


Prep)

Raw Data P3 data

Issuer

Dual Interface

Card

Mobile

Token Service

Provider

Secure Server



Mobile Application

TSM


System

SE

Cloud Platform

Service Manager


Prep)

Raw Data P3 data

HCE applet

Issuer

Dual Interface

Card

Mobile

Perso Machine

Token Service

Provider

Secure Server

• Plastic Cards

• Tokenized Plastic Cards


Perso)

Internet

P3 data


Transaction Flow

Mobile Application

TMS


System

SE

Service Manager

Perso Machine

HCE applet

Issuer

Dual Interface

Card

Mobile

POS

Transaction

update

Acquirer Payment Network In-store

purchases

POS

TSP

Cloud Paltform

TSM

MAP


Prep)

Secure Server


Transaction Flow

Mobile Application

TMS


System

SE

Service Manager

Perso Machine

HCE applet

Issuer

Dual Interface

Card

Mobile

Transaction

update

Acquirer Payment Network

Remote Payment Gateway

In-app

purchases

TSP

Cloud Paltform

TSM

MAP


Prep)

Secure Server


Issuer / Bank

N Card

• Soft card

• SE-based card

Single wallet

In-app and

online payment

Voucher

redemption

One platform supports all form-factors and channels

In-store

payment


Merchant: No Liability | No PCI-DSS | Higher Conversion

Merchant

TOKEN

No more Liability

• Card on File

Does not store real PAN

Only store Token (alternate PAN)

• Manual Entry

No need to enter Card info manually

Token will be used on entire ecosystem

• Transaction Security

EMV transaction instead on Magstripe

Highly secure – impossible to break

No more PCI-DSS

• Cost Saver

Does not need Certification Issuance / Renewal

Less administrative cost on Infrastructure

Higher Conversion

• User Experience

Secured and hassle free Shopping

Increase conversion rate


User

N Card

One PIN

Single wallet

Secure

transactions

Convenient voucher

redemption

Single click transaction


A journey with Kona Pay:

Joy of Smashing Challenges


Challenges - Development with the Spec Releases

Host Card Emulation is a relatively (in payment industry terms) recent idea. However the

major brands have rapidly endorsed and developed specifications to help vendors.

VCP-CS

o Compatible with EMV tokenization

spec

o Defined components of HCE eco-

system: for provisioning,

tokenization, verification, lifecycle

management etc.—with general

responsibilities

o Behavior guidance for application

in mobile. Compatible with VCPS

Q1 Q2 Q3 Q4

Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Android 4.4

mobile OS

platform

with HCE

support

VCP-CS (VISA

Cloud-based

Payments -

Contactless

Specifications)

1.0

EMV

Payment

Tokenizatio

n

Specificatio

n 1.0

VCP-CS 1.1

VCP-CS 1.2

MasterCard

Cloud-Based

Payments

Specification

1.0

Draft AmEx

specification

s

Cartes

2014

2014

EMV Tokenization Specifications

o PAN, expiry date, cardholder name,

cryptographic keys to be tokenized

o Tokens have similar format to

original data

o Token ranges different from original

PAN ranges etc.

o Different business models—

digitized card in mobile, card-on-file

online etc.

MasterCard CBP

o Compatible with EMV

tokenization spec

o Defined components of

HCE eco-system—with

specific responsibilities

and actions

o Defined specific behavior

for application in mobile

in detail.


Challenges - Development with the Spec Releases

• Had to adapt lots of changes within short time – Had to try different business models to fit in

• Hard Deadline to stay ahead of the market competitors

• We had to forecast different behaviors for MasterCard CBPS Specs – Sometimes it worked and sometimes it didn’t


Challenges We Faced

• Maintaining Effective Peer Code Review, under Serious Deadlines

• Automated Test Coverage

• Scrum Practice in Distributed Teams

• Testing while development – Mocking the dependency

– Implement the skeleton first from top to bottom.


Challenges We Faced

• Effective Team Collaboration while doing, webservices – Dependency Analysis before planning a sprint is very vital

Image Source: http://wonderfulengineering.com


People behind Kona Pay

• Total Developers: 22

• Total QAs: 7

• Scrum Teams: 5


Scrum Meeting


Lessons to make scrum successful


Technologies Used for Kona Pay

Mobile App

• Host Card

Emulation

• Smart Card Service

• PKI middleware

• White Box

Cryptography

• ActiveAndroid

• Dagger

• ButterKnife

• Retrofit

• Eventbus

Web Applicaton

• Spring Framework

• Spring MVC

• Spring Integration

• JPA

• Hibernate

• Jboss AS

Other Tools

• RabbitMQ (MQTT)

• HornetQ

• Memcached

• Infinspan

• OpenSSO

• ElasticSearch-

Logstash-Kibana

Database

• Oracle

• MySql


Technologies Used for Kona Pay

Testing

• Jbehave

• Gatling

• Jmeter

• Collis

Environment

• Eclipse

• Gradle

• Jrebel

• Git

• Jenkins

Review & Issue

Tracking

• reviewboard

• Redmine


Kona Pay into the Wild:

From Korea to The World


Kona Pay was Unveiled in South Korea for Korean Market


Kona Pay in Outside Korea

• Kona Pay is unveiled in Money20/20 2015 for US Market

• Kona Pay will be unveiled in Cartes-2015 for Europe Market


Q/A


Thanks

Technology

Smart card to the cloud for convenient, secured nfc payment