Going Mobile with cloud payments HCE Martin hawes CISSP October 2016 Tinkoff Bank Tinkoff Bank uses Thales HSM with HCE to emulate a contactless payments card on an Android Mobile HCE just worked on existing contactless terminals ID: 765734
Download Presentation The PPT/PDF document "Going Mobile with cloud payments (HCE)" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Going Mobile with cloud payments (HCE) Martin hawes CISSP October 2016
Tinkoff Bank! Tinkoff Bank uses Thales HSM with HCE to emulate a contactless payments card on an Android Mobile
HCE just worked on existing contactless terminals “Hey Simon… we just bought some coffee in Starbucks with our phone!”
HCE – Maybe not just a payment card emulation Maybe add payments to any Android app Voyage Advisor Travel Card Hotels Maps and route What’s on Loyalty Credit card One app for travel Loads emulation of local travel card Authenticates into and pays for travel Integrated into the travel experience Closed loop or card on behalf of bank Loyalty Secure e-commerce MasterCard DSRP – Digital Secure Remote Payments EMV-like transactions for in-app payments
Google introduces Android support for HCE November 2013 https:// developer.android.com/guide/topics/connectivity/nfc/hce.html
Schemes announce support of HCE February 2014
Simplifying the user experience Simple process to enrol cards Automatic wallet start-upOne Touch fingerprint confirmationEnhancing the securityEmbedded secure elementTokenization of credentialsNo card information shared with merchants Partnering rather than disruptingUsing existing payment card railsUsing established standard technology – EMV, NFCLeveraging card schemes expertise and business modelsApple Pay Launched in October 2014
Where first? What makes a hot HCE market? Consumers who understand and like contactless because:- Contactless cards are available and already used Terminals support contactlessHCE key markets need:High percentage of Android HCE capable smart phonesApplePay has warmed the marketBanks have an inclusive (not just Apple) mobile payments vision
Is UK a hot HCE market? Consumers who understand and like contactless because:- Contactless cards are available and already used Terminals support contactlessHCE key markets need:High percentage of Android HCE capable smart phonesApplePay has warmed the marketBanks have an inclusive (not just Apple) mobile payments vision
Is UK a hot HCE market? Consumers who understand and like contactless because:- Contactless cards are available and already usedTerminals support contactlessHCE key markets need:High percentage of Android HCE capable smart phones ApplePay has warmed the marketBanks have an inclusive (not just Apple) mobile payments vision
Is UK a hot HCE market? Consumers who understand and like contactless because:- Contactless cards are available and already usedTerminals support contactlessHCE key markets need:High percentage of Android HCE capable smart phones ApplePay has warmed the marketBanks have an inclusive (not just Apple) mobile payments vision
What is Host Card Emulation (HCE) Does not require the use of Secure Element on mobile device Mobile application has payment credentialsOnly essential payment data is on the device, rest in the ‘cloud’Major card schemes have their ownproprietary specifications forsupport of HCE implementationsIncreased risk is mitigatedthrough use of: Dynamic keys Tokenization of PAN HSMs in back office Mobile app security layers Android Kitcat 4.4 and above, from Nov 2013 Mobile needs NFC hardware 2018 IHS predicts NFC in 64% of cellphones Phone OS NFC Controller Host Card Emulation PAY APP Secure Element Secure Channel TCP Offline payments O nline for registration Online for key replenishment
HCE :The Banks’ opportunity to take control An alternative to the Secure Element (SE) TSM Model Manage your master keys Control critical assets Look how HCE puts you back in control …
Host Card Emulation (HCE) Issuer Host Mobile Network Operator Consumer Mobile App Issuing Bank Merchant Contactless POS Terminal Payment Network Host Card Emulation (HCE)
New Challenges | New Solutions Securing the registration process Risk Analysis Delivering credentials securely to the phone Managing the key and credential lifecycle T okenisation
Layered security to reduce your risk Session Key security New issuer master keys dedicated to HCE transactionsNew ‘digital card’ keys dedicated to HCE transactionsSession/single use keys to minimize risk and prevent replay attacks Alternative PAN or token approachIsolate HCE from other payment channelsDevalue ‘PAN’ if stolen from phoneSeamless integration of issuer-side tokenization where neededSecure communications with mobile phoneHSM acts as an endpoint for TLS secure session All critical keys and data supplied to phone in encrypted format HSM-controlled TLS session enhances traditional web server session
Host Card Emulation with Thales HSMs Manage session keys Manage apps Provision device Device Provisioning Manage master & card keys Manage customer accounts Manage PINs/passcodes Account Management Derive session keys Fraud management Payment authorization Transaction Processing Internet Merchant POS Acquirer Card Network Issuer Back Office Systems HSM HSM HSM HSM HSM Web Server
230 Pages 876 Pages
Thales Hardware Security Modules Hardware Security Modules Tamper resistant, certified security Secure cryptographic operationsHigh assurance key management nShieldMulti-purpose HSM family payShield Payments HSM family
Thales, ready to go when you are HSM functionality available off-the-shelf Visa, MasterCard and American Express variants supported Dedicated payShield 9000 functions – no additional development needed Update to PCI HSM certification in progress Proven integration with leading HCE solutions Major solution providers have pre-integrated with payShield 9000 Low risk, plenty of choice, superior support Comprehensive consultancy, training and support We understand the cryptography necessary to support HCE We can help your team get up to speed quickly with the overall system 24 x 7 support is what we can offer you
HCE – your opportunity to take control of mobile payments Terminals, schemes, customers and mobiles are ready for HCE Working with Thales will make implementation quicker and secure Thales is committed to securing HCE solutions Any questions? m artin.hawes@thales-esecurity.com
Additional info
New security challenges, new risk models Securing the registration process Out of band activation codes – need strong RNG Secure communications session – need hardware-based TLSAuthenticity of mobile app – need secure certificate managementDelivering credentials securely to the phoneHSM protects keys at all times – standards-based key exchangeSensitive data protected at all times – hardware-based encryption Secure remote management – mutual authentication Managing the key and credential lifecycle Supplying sufficient keys – pre-generated based on risk model adopted Replenishing keys – secure pro-active updates Detecting fraudulent transactions – validating cryptograms
SE Card Emulation SP TSM Issuer Host Mobile Network Operator MNO TSM Consumer Mobile App SE Issuing Bank Merchant Contactless POS Terminal Payment Network SE Card Emulation
Yandex (Russian Google HCE with solution provider Techno) NFC и кошелек Яндекс.Денег 20.04 в 8 утра выложили в стор : Нагрузка на HSM Thales PayShield 9000 x4 ( SNMP Stats Grafana-Zabbix ) :
Структура серверов Online1 Online2 TMS1 TMS 2 Online3 Online4 TMS3 TMS4 ДЦ1 ДЦ2 CMS1 CMS2 Cold Backup