Jack Jania SVP Gemalto JackJaniagemaltocom October 2012 Technology in Retail Payment Innovations The changing POS payment environment Mag Stripe EMV NFC NFC TSM ecosystem ID: 1043893
Download Presentation The PPT/PDF document "Mobile Payment @ the POS" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Mobile Payment @ the POS Jack JaniaSVP GemaltoJack.Jania@gemalto.comOctober 2012Technology in Retail Payment Innovations
2. The changing POS payment environment Mag-Stripe, EMV, NFC…. NFC - TSM ecosystem NFC Payment examples Conclusion Agenda
3. 3REGIONAL NETWORKSGLOBALNETWORKSMerchantIssuerAcquirerEvery few decades, an industry gets hit by a tsunami of changesU.S. PaymentsIndustryConsumerEMV + Durbin + Mobile2011 Key ChangesIsis announcementEMV Liability ShiftDurbin Amendment
4. The associations have a technology solution ready today 4VSDCMChipD-PasAEIPSWLEMVEMV 4.3CompliantApps
5. The changing POS payment environment Mag-Stripe, EMV, NFC…. NFC - TSM ecosystem NFC Payment examples Conclusion Agenda
6. 10/16/20126Presentation title – Security level Arial (10pt)Mag-stripe transactionPAN, Expiry date, Service code,CVC/CVVIssuerauthorization systemMag-stripe data is read by the POSThe data is STATIC: identical for each transactionCVC/CVV is the encryption of (PAN, Expiry date, Service Code) using a key specific to that card. This key can be retrieved by the issuer authorization system.
7. 10/16/20127Presentation title – Security level Arial (10pt)Magstripe transactionAuthorization Request(Amount, PAN, Expiry date, Service code, CVC/CVV…)PAN, Expiry date, Service code,CVC/CVVIssuerauthorization systemThe POS computes the authorization request and sends it to the issuer authorization system
8. 10/16/20128Presentation title – Security level Arial (10pt)Magstripe transactionAuthorization Request(Amount, PAN, Expiry date, Service code, CVC/CVV…)PAN, Expiry date, Service code,CVC/CVVIssuerauthorization systemThe authorization system performs risk managementIt also checks the validity of the CVC/CVV by recalculating it using:the (PAN, Expiry date, Service code) transmitted in the authorization requestthe secret key associated to that card.If the CVC/CVV is validated, the card is considered genuine
9. 10/16/20129Presentation title – Security level Arial (10pt)Magstripe transactionAuthorization Request(Amount, PAN, Expiry date, Service code, CVC/CVV…)PAN, Expiry date, Service code,CVC/CVVIssuerauthorization systemThe authorization response is sent back to the POS.Authorization ResponseApproved / Declined
10. Mag-stripe cards are easy to cloneCard authentication is based on STATIC data Cloned cards will be considered authentic, since they carry the same data as real cards10/16/201210Presentation title – Security level Arial (10pt)Mag-stripe transactions
11. EMV Contact & Contactless CardsContactlessAntenna inside Mag-stripe on the backEMV Chip
12. Mag-Stripe vs EMV transactional data 000000000000000000083902014A200228830C8859DE1F37E74D8B657FB70D110108002C035400BA038001C0003200000E16181E20242A8488A8AEB2CADADC000000621C731008038400621C5A0808038400621C4108080384006216030003030000621DFA0008038400621F8804020480006214500002020000621084040204000062149500010480006205F5000604800062116D00030200006212610003028000621CAC0008038400621E6600080384000000000000000000000000000000000062196B0062017B0062049C006206930062073C0062097D00620A1800620A5E00620B3700620B3B00620E5F00620ECB00621EF50062218C006222350000000000000000000021E921AB21A721E521C2219E03800380043A0756075B07880C880080043A105A00C004BA185A057A5A000005FA005A000005FA005A05FA05FA00002020200005010100000110160600010000558988FFA0000000041010006200000000000000000000000000000014145A1000000351080000005A554E2003040000EA60004E200F0000000000000000000000000000000000067A0A16051316232636000000000000005A83C13175E543256125AB0EE34F54EAA431EA2AE557264CC12A1F6E868A268994000000000000000062E0D0833DB0F19D15DC4C706DE3BCAB0000000000000000A291D970A2C20DF76EE60E022CB646C100000000000000000000000000000000000000000000000000000000000000000000000000000000000000005AAD126F5A5A5A5A5A000000000000000000000000FF0100000000000000000100005B6373B15ABED28E130038FCE57D5A752AD9B0CF98F50000000000000000241234FFFFFFFFFF00000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF5A0000000000000000000000000000000000002B084008400010000000002500000000000075300000000300000300000000000000000000000000000000000000000000000008400000000840000000084000000008400000000840000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000800000000019500019FB0039000C10010201180101002001010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A19F27019F02065F2A029A039F36029F520600000000000000000000000000000000000000000000000000000000D55502F60200D6550295029F1455029D019F235502AA0100CA5502970600CB5502A40600C45502FB0300C55502FE0300C35502F80300C95502910200D15502C3199F4F9503541100C85502930200945603042000825603010200C75502900100D35502DC1200D7550324039FA15502AB069FA25502BD0600CD55032A0300CE55032D0300CF5503270300DE9502740900D95603332000D8560330029FA75503530100DA5602F20200DB5602F40200DC5602EE0200DD5602F0028577C46B600E5D1ECC0FE9EB0F42B13E15FEA9F7479A0F3217C4BCD742108178D9FB07D11F32A2426098F1328BF92E6CCEF353D1FD4386C68DDD9B9EA1EEAB978E5B8B3074BB128D07F50B207148DEAAD0C034B755ED83A38BD82B2A74D69CE1E65F0B9E7454BE9224FB65AA859BEA5DFBBEAB631A51FB1F5F54E16F3934C8DFC833A6A110158BAE3217DEE096E409DD20FDFEF2EB6716CB23A71B42E318C23546F88BB9AECBF36390E569CBD1F5C5A3366CFDBAFBE54A29D4CC696DF2E60163D58950C8AF189BD38BEF90B0A9ED4E0039204F1300E4457551C440BFAF41EB52D98E916DAE7F1DDB3779187FC869DF8CF99E0114A77AF8AF0EFF5226D5CF2D4F9E8C2A50FF6B6FD1E4AEFA2C2308570DB429258FCEF9C41632B76BB3A85F5F9C58B15DC022E4D24CD6FA60209F8794C2BE1A7C11DBD2DAFBDF6D8E7A5E7293E4A6FE5C7543EE99376B5FB7CD702AF3E93D3B35677B1F6EDD991B1CB9AFA76A2A5FBAB440926BC82AC3DAD41C7993EE7AADCB7F2155D0AC417092713E4209C6B4EF252DD204CE8DF2FC9DB8F557DB74BD409D2B5F948ECC076CF453E991A388B3F69EF827FAC9B952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D48D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004141C243C0774076B077C076E0780077007840772020102010101010101078800FF088800FF098800FF0A8800FF0B8800FF867081835F25031101125F24031312319F0702FF005A0855898800000000015F3401018E10000000000000000042015E0342031F039F0D05B8508C88009F0E0500000000009F0F05B8708C98005F280208409F4A01828C219F02069F03069F1A0295055F2A029A039C019F37049F35019F45029F4C089F34038D0C910A8A0295059F37049F4C080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000033703157135589880000000001D13122019990000000001F5F200B5354524F55442F4A4546469F080200029F420208409F440102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C37081C08F01F39081902E9E82DF912E0C73BD3C3F77A530A70998DB353D61651CE91623F20FA97938001E23C32A1BBDB33B99F04D7BA496E2C205FAAD841358418B47BD39671D88957ECF4AF08D6C13F1B7EBA6BF21A893A3F3469978D43DB7634D5CAA1C15396242B99BE3988B7A5CF2B44288E9FF29097AF02D9A61B6C27CE89390A94F738772811713ED38F1F5D29122FB824DFC7701CF2B92242B97330BA4E9A6F288D450D98F9BB36D9ABF001EEF883F51D99B683ADD8EBE99577E83C99F320103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE7081BB9F468190144F280DB621BE009632BF0CD887BFC885DC62885BA2CCC951D7DEDA9B34B7CDC07BC822D5D6CB555F5B881141F57069D4E779FE8A85BDBFE69801BAB48385D75BEE0D4806AA9A20141B70574B58342205DC344B8BB4D94909B4EA3996A9372B9E4044537FA2E0FC3A26BAEABAFEBCEE1060E3DE4D1A2319D277AFB0732602D4F2353A955868D21C9C5394A74D98F7AE9F4701039F481AB952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D48D9F49039F370400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001F701D9F5501F09F56160180007FFFFFF00000000000000000003000FF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001761154F07A0000000041010500A4D41535445524341524400296F278407A0000000041010A51C500A4D4153544552434152448701015F2D02656EBF0C059F4D020B0A00000000%B5268xxxxxxxxxxxx^Smith/John^110120116604000000000000000000000?;5268xxxxxxxxxxxx=11012011660400000000?
13. 10/16/201213Presentation title – Security level Arial (10pt)EMV chip transaction – OnlineIssuerauthorization systemCard dataAmount, currency, …Transaction initiation: POS and card exchange dataTrack 2 equivalent dataCard settings and capabilitiesTransaction data (amount, currency, date, etc)…
14. 10/16/201214Presentation title – Security level Arial (10pt)EMV chip transaction – OnlineIssuerauthorization systemCard dataATC, ARQC, …Amount, currency, …Card generates an Authorization ReQuest Cryptogram (ARQC).ARQC is the encryption of card and terminal data using a secret key specific to that card. This key can be retrieved by the issuer authorization system.ARQC is a DYNAMIC cryptogram: it is different for each transaction
15. 10/16/201215Presentation title – Security level Arial (10pt)EMV chip transactionATCAmountCurrencyDate…ARQC3-DESATC is a transaction counterIt is incremented for each transaction The card will never generate the same ARQC value twice
16. 10/16/201216Presentation title – Security level Arial (10pt)EMV contact transaction – OnlineIssuerauthorization systemCard dataATC, ARQC, …Authorization Request(Amount, PAN, ATC, ARQC…)Amount, currency, …Authorization request is sent to the issuer authorization systemSame data as a mag-stripe transactionAdditional EMV data
17. 10/16/201217Presentation title – Security level Arial (10pt)EMV contact transaction – OnlineIssuerauthorization systemCard dataATC, ARQC, …Authorization Request(Amount, PAN, ATC, ARQC…)Amount, currency, …The authorization system performs risk managementIt also checks the validity of the ARQC by recalculating it using:the data transmitted in the authorization requestthe secret key associated to that cardIf the ARQC is validated, the card is considered genuine, and there is a guarantee that the transaction data has not been tempered with (amount, …)
18. 10/16/201218Presentation title – Security level Arial (10pt)EMV contact transaction – OnlineIssuerauthorization systemCard dataATC, ARQC, …Authorization Response(Approved / Declined, ARPC, …)Authorization Request(Amount, PAN, ATC, ARQC…)Amount, currency, …Issuer’s decision, ARPCIssuer host generates an authorization responseResponse may include an Authorization ResPonse Cryptogram that authenticates the issuer and the issuer decision. The card may validate the ARPC before giving its final decision.Card’s final decision
19. Card authentication is based on DYNAMIC data (ARQC) generated by the card secret keyCard secret key cannot be retrieved from one card and duplicated onto another card10/16/201219Presentation title – Security level Arial (10pt)EMV contact transaction – Online
20. 1. Card Emulation allows a mobile phone to simulate a physical contactless card2. Reader/Writer allows reading or writing information to or from a passive tag/poster3. Peer-to-Peer allows bidirectional communication between devicesIntroduction to NFCWhat is Near Field Communication?Short range wireless (<4 cm); Low speed (<424 kbits/sec)User friendly & simple (no discovery, no pairing, just “tap”)Passive capability (one of the devices can be unpowered)NFC has 3 modes:
21. Anatomy of an NFC Smart PhoneNFC phones contain special hardwareNFC hardware is supported by multiple cell phone manufacturersNFCPhone ProcessorSecure ElementNFC ControllerNFC AntennaSecure Element: Stores sensitive data (like payment card information)NFC Controller: Manages traffic and RF signalsNFC Antenna: Collects & transmits the RF
22. 10/16/201222Presentation title – Security level Arial (10pt)EMV contactless and NFC transactions – OnlineIssuerauthorization systemCard dataATC, ARQC, …Authorization Response(Approved / Declined)Authorization Request(Amount, PAN, ATC, ARQC…)Amount, currency, …Issuer’s decision, ARPCContactless and NFC transactions offer the same level of security as contact transactions.Contactless and NFC devices leave the field before the authorization response is received by the POS. Issuer actions can be performed:Card: during the next contact transactionMobile phone: using the OTA (over-the-air) channelCard’s final decision
23. The changing POS payment environment Mag-Stripe, EMV, NFC…. NFC - TSM ecosystem NFC Payment examples Conclusion Agenda
24. TSMNFC PhoneContactless InfrastructureBank, Transport Operators, Merchants…MNO TSMSP TSM ServicesUICC & eSEsMicro SDsMobile WalletConsultingSE ApplicationsMNO OTA PlatformNFC Ecosystem24
25. Functional block flow diagram25SP TSMSE/MNO TSMWallet (UI)NFCTowerPhoneData PrepSEMerchant AcquirerPOS TerminalReaderCardholder/ AuthorizationVirtual CardPersonalization SystemTransactionalSystem(Contactless Spec For Reader App)Card Mgmt. System
26. Gemalto Operation centerBanking Security ZoneCustom Integration based on the APIs of MNO componentsMNO’s control point, global view and integration to backend systemsNFC Business EnablerIn charge of NFC service provisioning and managementCore TSMSPSP TSM 2SP 1Backend SystemSP 2Backend SystemSP TSMMNO TSMMNO Backend systemsOperator Security ZoneMNOMNO TSM 2Bank and Wireless Operator TSM architecture26
27. MNO TSM (Business Enabler)Payment TSMGlobal SE controlMNO globalsubscriber viewSingle entry pointfor any TSMNotificationsToken management SP Security Domain managementApplication provisioning and personalizationLock & unlockEnd of lifePost-perso (top-up, counter reset …)SE & handset replacementSP-TSM and MNO TSMRoles and responsibilitiesSP global subscriber viewSDSP012...012X27
28. Bank backend systemsLittle bit more detail28NBEPost-issuance event from CMS or SVA / Customer Service / InternetNotification of post-issuanceevents from customer handset or MNOKey ceremonyCAP / Auth. KeyexchangeKey ceremonyPayment MKeyexchangeFor GP2.2ASE onlyPrepare and transfer mobile card input fileCustomerHandsetReal timetransmission of post-issuanceevent from customer handset (OTA channel)Post-issuance events from back-end (OTA channel)PaymentTSMMNO TSM 1 (Business Enabler)MNO TSM 2 (Business Enabler)MNO 1Backend SystemMNO 2Backend SystemGP TSMMessaging orAFSCM APIBank Mainframe / Account ManagementMobile Customer Workflow Manager Authorization SystemOTP / Authentication SystemControlling Authority Key ManagementService InterfaceGemalto Operation centerTSM Certified ZoneRecurrent flowOne-off provisioning Mobile EMV DPMobile EMV DPAlternatively supplied by3rd party
29. Bank data is encrypted end-to-end during transportConfidential Card Content Management (CCCM of GP standards)Guaranty the confidentiality of application code, commands and data exchanged OTAAuthorized ManagementLevels for MNO and TSM SD separate in USIMEnables a TSM to create new SD, download & personalize applications in total freedom SCP02 (for SD)03.48 secure OTAEMV DataEMV Data
30. The changing POS payment environment Mag-Stripe, EMV, NFC…. NFC - TSM ecosystem NFC Payment examples Conclusion Agenda
31. ISIS mobile & Card Payment Flow – In-store transaction31Merchant acquirerVISA MasterCard Amex DiscoverNetwork Issuing bank Card Present Transaction1In-store POS (Merchant)23
32. MasterCardNetworkGoogle Wallet V2 – In-store transactionGoogle becomes Issuer & Merchant32Issuer AuthorizationHostMerchant acquirerVISA MasterCard Amex DiscoverNetwork Merchant AcquirerHostLinked Card Issuing bank Bank CMS DBWallet ID (Google VC MC) vsLinked cards #Google CloudCard Present TransactionCard Not Present Transaction1Wallet IDCredit Card 1Credit Card 2Credit Card 3Credit Card ..23In-store POS (Merchant)45ISSUERMERCHANT
33. EMV infrastructure is much more secure than the existing mag-stripe card infrastructure. NFC mobile payment leverages existing EMV POS methodology to enhance mobile payment security Payment risk ownership will be predicated on the back office model adopted by the mobile provider & Issuing bankConclusion
34. Jack JaniaSVP GemaltoJack.Jania@gemalto.comOctober 2012Technology in Retail Payment Innovations
35. 35Gemalto (NYX:gto.pa) secures the lives of billions of people in payments, mobile, governments/military & corporations€ 2.1 billion revenue 2011Innovation:14 R&D centers worldwide1,500+ engineers107 inventions first filed in 20111,200 patent familiesGlobal footprint:15 production centers28 personalization facilities74 sales & marketing officesExperienced team:10,000+ employees100 nationalities43 countries% of FY ’11 revenueEurope,Middle East,Africa€ 1040m52% of revenueNorth & SouthAmerica€ 580m29% of revenueAsia€ 380m19% of revenueRegional revenue