TSM Point of View and Issues Faced

EC/ETSI Workshop on Collaborative

confidential

EC/ETSI Workshop on CollaborativeEcosystem for M-Payments

Sophia Antipolis, France, 1.7.2014

Lauri PesonenGiesecke & Devrient

1. Mobile Payments Landscape

2. Secure Elements Based NFC Ecosystem for Mobile Payments

3. Basic Information on HCE/Cloud Based Mobile Payments and Trusted Execution Environment (TEE)

4. Summary and Conclusions

Contents

Page 2Company confidential

4. Summary and Conclusions

Fueled by Smart Phones, Mobile Financial Services are being launchedMobile Payments market is diverse with many different solutions

In-store Payments (at POS)

Online Payments

In-app Payments

P2P Payments

Card Payment Schemes

Credit, Debit, Prepaid

Visa, MC, Amex, …

Local debit

Payments from Bank

Account

PayPal

NFC

QRCodes

BLE

HTTP

Secure Element

TEE

SW Security

Cloud

Payment Services Payment Schemes Connectivity Security

Page 3Company confidential

Loyalty

Coupons, offers

Mobile Marketing

Ticketing

PayPal

Other payment schemes

Other ServicesMobile Payments on one hand re-use

the existing payment services & infra,

and on the other hand exploit the

capabilities of mobile devices to adapt

the existing services and to create

completely new services

Important Requirements for Mobile Payments

Consumer Experience

Security Standards, Open Specs

Availability

Page 4Company confidential

Scalability

Cost

Value Add Services

NFC stands for Near Field Communication

NFC is a contactless technology

� Standardized contactless card mode ISO 14443 NFC air interface ISO 18092

� Compatible with contactless payment terminals

� Compatible with other contactless

What is NFC?

NFC enables touch based mobile services

Page 5Company confidential

� Compatible with other contactless infra, such as ticketing and access control

NFC is mainly deployed in mobile devices

NFC enables mobile contactless applications, e.g. payment, ticketing, loyalty

NFC uses a Secure Element (SE) as a processor and storage for security sensitive applications, such as payment and ticketing

Mobile NFC EcosystemSecure Element Enables Secure Mobile Applications

TRANSPORTCOMPANIES

PUBLICAUTHORITIES

SERVICEPROVIDERS BANKS VENUESRETAILERS

ONLINE SERVICES

Use of SE APPLICATIONS for online services

TRUSTED SERVICE MANAGEMENT

MOBILE SERVICES Issue SE applications

Issue Secure Elements

MNOs

STRONG AUTHENTICATIONMOBILE BANKINGREMOTE PAYMENTS

SEISSUERSOEMs

OTA

SP TSM

OTA

SEI/MNO TSMGlobal Platform API

Page 6Company confidential

SECURE ELEMENT (SE):• Multi-application smart card chip

in the NFC device• Different form factor alternatives

issued by MNOs or other parties• Stores smart card applications

issued by Service Providers

SIM microSDEmbeddedSE

Use of SE/NFC APPLICATIONS in proximity infrastructure

NFCPAYMENTLOYALTYCOUPONSTRANSIT TICKETING EVENT TICKETINGACCESS CONTROLSERVICE DISCOVERY

for online services

• OTA management of secure elements

• OTA provisioning of SE applications

• OTA life-cycle mgmt of SE applications

TSM provides secure aggregating services for

OTA

Accessory

PROXIMITY SERVICES

OTA

MobileWallet

Leveraging contactless acceptance infrastructure and mobile services NFC provides value for business stakeholders and consumers

� Role of multi-application Secure Element issuer

� NFC as a new channel to existing operator services

� New NFC based services� New customer acquisition, retention

of existing customers

MOBILE OPERATORS

� Leverage existing contactless ticketing infra to introduce mobile ticketing

� Cost efficient OTA ticket issuance� More customers, less free riders� Mobile channel – new and convenient

services to commuters

TRANSPORT OPERATORSCONSUMERS

with NFC phone

Page 7Company confidential

� Part of mobile channel – portfolio of mobile financial services supported by frequently used payments

� Leverage existing contactless acceptance infra to introduce mobile payments

� New customer acquisition, retention of existing customers

BANKS MERCHANTS

� Mobile loyalty and CRM programs – enhanced consumer experience, profiling with opt-in usage

� Leverage the investments in contactless acceptance

� More customers, more business

• Always with you• Online services• Proximity interactions• Customized Experience• Multiple services

NFC Mobile Payments leverage existing card payments infrastructure

TSMIssuer

Account Mgmt

Issuer Auth Host

Issuer Issuance of Mobile Payment Card (debit, credit) to NFC Phone with Secure Element

Contactless payment

Page 8Company confidential

C’less POS Terminal

End User

Acquirer

Wallet

SecureElement

NFC

PaymentApplet

Contactless payment transaction in the existing payment acceptance and processing infrastructure

Secure storage and processing of payment credentials

Trusted Service Management framework in the NFC Ecosystem

Management of SP applicationsSERVICE PROVIDER ”DOMAIN”

TSM services to SPs

� Key management of SPSD� Loading of SP applet into

SPSD (depending on SSD conf.)

� Data preparation of SP applet

CA

Controlling Authority

GP TSM Messaging Interface

NFC Application Management

(SP TSM)

Service Provider Systems

Management of Secure ElementsSEI “DOMAIN”

SEISystems

SE Manager functions

� Eligibility checks� Creation of security domains (SPSD) on

SE for Service Providers� Authorization of which applets can be

loaded into SE / SSD (GP Delegated

SE Management (SEI TSM)

TSM TSM

Page 9Company confidential

SE (SIM/other)

ISD SPSD

ServiceProviderApplet

NFC UsageUse of NFC applications at contactless acceptance infrastructure for payment, ticketing, loyalty etc.

MobileWallet

Use of SE APPLICATIONS for online services

� Data preparation of SP applet� Personalization of SP applet� Life-cycle management of SP

applet: lock, unlock, delete� Notifications between SEI and

SP domains

Over-the-Air (OTA)

loaded into SE / SSD (GP Delegated Mode)

� Loading of applets (GP Simple Mode)� Deletion of applets (GP Simple Mode)� Subscription/SIM/handset life-cycle

management in relation to NFC service� Notifications between SEI and SP

domains

NFC

TSMs are Trusted Service Aggregators in the NFC Ecosystem

Page 10Company confidential

� TSM’s primary role is to provide secure services for provisioning and life-cycle management of consumer’s NFC applications on secure elements, after the consumer has purchased NFC phone

� TSMs provide service aggregation on behalf of secure element issuers and service providers

� TSM’s role is to be technology agnostic and to support different mobile devices and secure elements

GlobalPlatform is the de-facto standardization body for TSM interoperability

� Role of GP

� GlobalPlatform is a member-driven association with good representation from all stakeholders across the NFC ecosystem and related markets. Using this wealth of knowledge and adopting a collaborative approach, GlobalPlatform has been able to assess the business requirements of each industry sector and develop specifications that promote universal messaging that is adaptable to support all business models and use cases.

� Two specifications & one configuration framework have been released by GlobalPlatform to date

� Web Services Profile for GlobalPlatform Messaging Specification v1.0.

� GlobalPlatform’s Specification for Management of Mobile NFC Services v1.0, 1.1, 1.1.2

� E2E Simplified_Service_Management_Framework_v1.0

Page 11Company confidential

� E2E Simplified_Service_Management_Framework_v1.0

� Support & alignment

� The GlobalPlatform Mobile Messaging Specifications align with, and meet the requirements of key industry associations including the European Payments Council (EPC), GSMA and use cases from the Association Française pour le ‘Sans Contact’ Mobile (AFSCM).

� Work in progress

� Compliance Program: GlobalPlatform will align its compliance program to support the end-to-end framework. It will test products against current specifications for cards and devices, and then use the framework as a potential uses case to test the end-to-end deployment.

Market Status for NFC/SE based Mobile Payments

� A large number of NFC mobile payments projects implemented worldwide during the last years, using secure element of the NFC device for payments

� Many projects have gone live for commercial service stage, additional projects are being prepared for commercial launch

� NFC handset availability has significantly improved, except for Apple / iPhone

Page 12Company confidential

� NFC handset availability has significantly improved, except for Apple / iPhone

� Contactless payment acceptance infrastucture is also growing

� Specifications and standards existing, many vendors offering compliant products and services

� However, the consumer uptake for the launched NFC services is low

Considerations on the issues and challenges for SE based NFC Mobile Payments

� Relatively high complexity of the ecosystem with multiple stakeholders and a number of interconnecting systems/components

� Different views between stakeholders on the fees for NFC enablement

� Competing interests on mobile wallets, i.e. who provides the wallet to consumers

� Even if consumers have NFC enabled mobile devices, secure element access is not granted – for many markets NFC SIMs are not yet a mainstream SIM product, embedded

Page 13Company confidential

granted – for many markets NFC SIMs are not yet a mainstream SIM product, embedded secure elements not available

� End-user process for applying for NFC services can be cumbersome

� Lack of additional NFC mobile services in addition to payments

� Low consumer awareness of NFC services

Google announced Host Card Emulation on Android 4.4 end of October – since then it has generated substantial interest in HCE enabled cloud payments

Card Emulation with SE:

Android App(Wallet / UI)

Host Card Emulation:

Android App Data Centre

Android-, BB-, WP- handset with NFC Android OS4.4 with NFC

Page 14Company confidential

SecureElement NFC

Controller

The SE itself performs the communicationwith the NFC terminal, no Android APPis involved in the POS transaction

With HCE the Android APP communicates with the NFC terminal, or alternatively routing communication between a cloud server and terminal (Android APP as proxy)

NFCController

Mobile Contactless Cloud Payments

� Definition : cloud payments mean a mobile contactless payment transaction at POS, whereto payment credentials are managed in cloud and accessed via mobile device to conduct the payment transaction

� Basic Concept

� Cloud payment does not use secure element on mobile device

� Cloud stores payment credentials which can be used for generating ”payment tokens” for POS payments

� Wallet accesses the Cloud Payment Service to request payment tokens to be used for POS payments

Cloud Payment Service

Issuer Account Mgmt

Issuer Auth Host

Acquirer

Issuer

High Level Cloud Payment Solution

Page 15Company confidential

� Wallet emulates the payment card and uses payment credentials / tokens received from cloud, when transacting with POS – SW based and system-wide security, online authorization of payment transactions

� No changes required for POS terminal or Acquirer

� No connection to Cloud during the payment transaction –Wallet interacts with Cloud prior to the payment transaction and downloads payment credentials / tokens that can be used for one or multiple payment transactions

POS Terminal NFC enabled

Smartphonewith HCE

End User

Wallet

NFC

Note – Issuer Account Mgmt is a collective term and represents various issuer systems that are relevant for mobile payments service

Cloud Client

Smart Connected Device Processor

Normal World Secure World

Rich OS

Trustlet Connector

App nApp 2App 1

Trusted Execution Environment

The Concept of Trusted Execution Environment (TEE) - Securing Apps

HardwarePeripherals� User Interface like

touchscreen and keypad

Secure OS

SecuredApp n

SecuredApp 2

SecuredApp 1

TEE TSM

OTA Life-Cycle Management of Secured Apps

Page 16Company confidential

Rich OS

TEE Driver Kernel Module

TEE provides an extended security scope

SIM / eSE / SD Card

Embedded processor & data storage

Microkernel

Runtime Mgmt.

Crypto Driver

Keypad Driver,

etc.

Summary & Conclusions

� Mobile Payment landscape is diverse with multiple solutions on the market and additional being introduced

� NFC & Secure Element enabled mobile payments are a standardized and secure solution, which effectively use existing contactless payment acceptance infrastructure for card payments

� Significant NFC project activity during the last years worldwide

� Consumer takeup of mobile NFC services, including payments, still low

Page 17Company confidential

� Consumer takeup of mobile NFC services, including payments, still low

� Ecosystem complexity and business issues are the main challenges for NFC & Secure Element based mobile payments – these are to be further addressed

� Cloud based payments on HCE/NFC enabled devices are emerging

� Collaboration across industries important for the creation of a sustainable and widely used mobile payments ecosystem

Thank You!

Lauri PesonenGroup Vice President, Global Head of BL NFC

Page 18Company confidential

Group Vice President, Global Head of BL NFCBU Mobile SecurityGiesecke & Devrient

lauri.pesonen@gi-de.comwww.gi-de.com