cloud payments (hce): a simpler step with thales hsms
TRANSCRIPT
www.thales-esecurity.com OPEN
Cloud Payments (HCE): a simpler step with Thales HSMsSIMON KEATES CISSP
2This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Largely unregulated and unqualified
4 years ago…
3This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
4This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
5This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
6This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
7This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
8This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
A quick poll
Do you have a smartphone?
Have you bought something using your smartphone? (Not necessarily in a store, e.g., Amazon, Dominos, Uber, etc.)Have you used your phone in a store to buy something?
9This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Voting results
10This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
But change is coming!
11This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://finextra.com/news/fullstory.aspx?newsitemid=27119 http://www.nfcworld.com/2014/09/10/331470/mastercard-issues-european-contactless-pos-mandate/
https://tfl.gov.uk/info-for/media/press-releases/2014/september/more-than-128-000-contactless-payments-made
12This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/
13This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/
14This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
▌ Simplifying the user experience
Simple process to enrol cardsAutomatic wallet start-upOne Touch fingerprint confirmation
▌ Enhancing the securityEmbedded secure elementTokenization of credentialsNo card information shared with merchants
▌ Partnering rather than disrupting
Using existing payment card railsUsing established standard technology – EMV, NFCLeveraging card schemes expertise and business models
Apple Pay Launched in October 2014
15This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Google introduces support for HCE November 2013
https://developer.android.com/guide/topics/connectivity/nfc/hce.html
16This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Schemes Introduce Support for HCE
17This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Schemes Introduce Support for HCE
230 PAGES 876 PAGES
18This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
What is Host Card Emulation (HCE)
▌Does not require the use of Secure Element (SE) on mobile device
Mobile application haspayment credentials
- Only essential payment datais on the device, rest is in the ‘cloud’
Major card schemes have their own proprietary specifications forsupport of HCE implementations
▌Increased risk is mitigatedthrough use of:
Dynamic keysTokenization of PANHSMs in back officeMobile app security layers
19This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The Banks’ opportunity to take control
▌An alternative to the Secure Element (SE) TSM Model
▌Manage your master keys
▌Control critical assets
▌Look how HCE puts you back in control …
20This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
SE Card Emulation
SP TSM Issuer Host
Mobile Network Operator
MNO TSM
Consumer
Mobile App SE
Issuing Bank
Merchant
Contactless POS Terminal
Payment Network
SE Card Emulation
21This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Host Card Emulation (HCE)
Issuer Host
Mobile Network Operator
Consumer
Mobile App
Issuing Bank
Merchant
Contactless POS Terminal
Payment Network
Host Card Emulation (HCE)
22This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
New Challenges | New Solutions
Securing the registration process
Risk Analysis
Delivering credentials securely to the phone
Managing the key and credential lifecycle
Tokenisation
23This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Layered security to reduce your risk
▌Key securityNew issuer master keys dedicated to HCE transactionsNew ‘digital card’ keys dedicated to HCE transactionsSession/single use keys to minimize risk and prevent replay attacks
▌Alternative PAN or token approachIsolate HCE from other payment channelsDevalue ‘PAN’ if stolen from phoneSeamless integration of issuer-side tokenization where needed
▌Secure communications with mobile phoneHSM acts as an endpoint for key exchange with mobile phoneAll critical keys and data supplied to phone in encrypted format
24This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales Hardware Security Modules
▌Hardware Security ModulesTamper resistant, certified securitySecure cryptographic operationsHigh assurance key management
nShieldMulti-purpose HSM family
payShieldPayments HSM family
25This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Host Card Emulation with Thales HSMs
Manage session keysManage apps
Provision device
Device Provisioning
Manage master & card keysManage customer accounts
Manage PINs/passcodes
Account Management
Derive session keysFraud management
Payment authorization
Transaction Processing
Internet
Merchant POS Acquirer Card
Network
Issuer Back Office Systems
HSM HSM HSM
HSM HSM
Web Server
26This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales support
▌Working with the card schemes, to provide supportpayShield 9000 Pre release 1401-0901 November 2014:
- Visa Cloud Payments : Complete November 2014 (1401-0901)
payShield 9000 Pre release 1401-0903 February 2015- 1st Draft MasterCard Cloud Based Payments
payShield 9000 Pre release 1401-0911 December 2015- Full MCBP Support- American Express Expresspay - 1st Draft Discover
payShield 9000 Major Release 3.0 available now- Including all functionality above- Coming soon: Union Pay, Verve, Diners
Support for other card brands to follow
27This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Tinkoff Bank!
28This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
D8 & MTBank
29This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales, ready to go when you are
▌HSM functionality available off-the-shelfVisa, MasterCard and American Express variants supportedDedicated payShield 9000 functions – no additional development neededUpdate to PCI HSM certification in progress
▌Proven integration with leading HCE solutionsMajor solution providers have pre-integrated with payShield 9000Low risk, plenty of choice, superior support
▌Comprehensive consultancy, training and supportWe understand the cryptography necessary to support HCEWe can help your team get up to speed quickly with the overall system24 x 7 support is what we can offer you
30This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Why Thales e-Security?
Banking Government Utilities High Tech Mobile
Automotive
Healthcare
Manufacturing
▌ Our track record. Over 40 years of leadership delivering data protection solutions around the world
▌ Our customers. We secure some of the world’s most valuable information and > 80% of payment transactions
▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography
▌ Our certifications. All our offerings are independently security certified - more than anyone else!
▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance
31This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
HCE – your opportunity to take control of mobile payments
▌Terminals, schemes, customers and mobiles are ready for HCE
▌Working with Thales will make implementation quicker and secure
▌Thales is committed to securing HCE solutions ▌Download the whitepaper:
https://bit.ly/1ZYz5mn
▌Contact us via the websitehttps://www.thales-esecurity.com
▌Or contact me:[email protected] @simonkeates