![Page 1: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/1.jpg)
www.thales-esecurity.com OPEN
Cloud Payments (HCE): a simpler step with Thales HSMsSIMON KEATES CISSP
![Page 2: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/2.jpg)
2This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Largely unregulated and unqualified
4 years ago…
![Page 3: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/3.jpg)
3This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
![Page 4: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/4.jpg)
4This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
![Page 5: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/5.jpg)
5This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
![Page 6: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/6.jpg)
6This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
![Page 7: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/7.jpg)
7This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situation Today
Highly Regulated Even more growth!
![Page 8: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/8.jpg)
8This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
A quick poll
Do you have a smartphone?
Have you bought something using your smartphone? (Not necessarily in a store, e.g., Amazon, Dominos, Uber, etc.)Have you used your phone in a store to buy something?
![Page 9: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/9.jpg)
9This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Voting results
![Page 10: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/10.jpg)
10This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
But change is coming!
![Page 11: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/11.jpg)
11This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://finextra.com/news/fullstory.aspx?newsitemid=27119 http://www.nfcworld.com/2014/09/10/331470/mastercard-issues-european-contactless-pos-mandate/
https://tfl.gov.uk/info-for/media/press-releases/2014/september/more-than-128-000-contactless-payments-made
![Page 12: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/12.jpg)
12This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/
![Page 13: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/13.jpg)
13This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The growth of contactless acceptance/distribution
http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/
![Page 14: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/14.jpg)
14This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
▌ Simplifying the user experience
Simple process to enrol cardsAutomatic wallet start-upOne Touch fingerprint confirmation
▌ Enhancing the securityEmbedded secure elementTokenization of credentialsNo card information shared with merchants
▌ Partnering rather than disrupting
Using existing payment card railsUsing established standard technology – EMV, NFCLeveraging card schemes expertise and business models
Apple Pay Launched in October 2014
![Page 15: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/15.jpg)
15This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Google introduces support for HCE November 2013
https://developer.android.com/guide/topics/connectivity/nfc/hce.html
![Page 16: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/16.jpg)
16This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Schemes Introduce Support for HCE
![Page 17: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/17.jpg)
17This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Schemes Introduce Support for HCE
230 PAGES 876 PAGES
![Page 18: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/18.jpg)
18This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
What is Host Card Emulation (HCE)
▌Does not require the use of Secure Element (SE) on mobile device
Mobile application haspayment credentials
- Only essential payment datais on the device, rest is in the ‘cloud’
Major card schemes have their own proprietary specifications forsupport of HCE implementations
▌Increased risk is mitigatedthrough use of:
Dynamic keysTokenization of PANHSMs in back officeMobile app security layers
![Page 19: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/19.jpg)
19This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
The Banks’ opportunity to take control
▌An alternative to the Secure Element (SE) TSM Model
▌Manage your master keys
▌Control critical assets
▌Look how HCE puts you back in control …
![Page 20: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/20.jpg)
20This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
SE Card Emulation
SP TSM Issuer Host
Mobile Network Operator
MNO TSM
Consumer
Mobile App SE
Issuing Bank
Merchant
Contactless POS Terminal
Payment Network
SE Card Emulation
![Page 21: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/21.jpg)
21This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Host Card Emulation (HCE)
Issuer Host
Mobile Network Operator
Consumer
Mobile App
Issuing Bank
Merchant
Contactless POS Terminal
Payment Network
Host Card Emulation (HCE)
![Page 22: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/22.jpg)
22This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
New Challenges | New Solutions
Securing the registration process
Risk Analysis
Delivering credentials securely to the phone
Managing the key and credential lifecycle
Tokenisation
![Page 23: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/23.jpg)
23This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Layered security to reduce your risk
▌Key securityNew issuer master keys dedicated to HCE transactionsNew ‘digital card’ keys dedicated to HCE transactionsSession/single use keys to minimize risk and prevent replay attacks
▌Alternative PAN or token approachIsolate HCE from other payment channelsDevalue ‘PAN’ if stolen from phoneSeamless integration of issuer-side tokenization where needed
▌Secure communications with mobile phoneHSM acts as an endpoint for key exchange with mobile phoneAll critical keys and data supplied to phone in encrypted format
![Page 24: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/24.jpg)
24This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales Hardware Security Modules
▌Hardware Security ModulesTamper resistant, certified securitySecure cryptographic operationsHigh assurance key management
nShieldMulti-purpose HSM family
payShieldPayments HSM family
![Page 25: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/25.jpg)
25This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Host Card Emulation with Thales HSMs
Manage session keysManage apps
Provision device
Device Provisioning
Manage master & card keysManage customer accounts
Manage PINs/passcodes
Account Management
Derive session keysFraud management
Payment authorization
Transaction Processing
Internet
Merchant POS Acquirer Card
Network
Issuer Back Office Systems
HSM HSM HSM
HSM HSM
Web Server
![Page 26: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/26.jpg)
26This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales support
▌Working with the card schemes, to provide supportpayShield 9000 Pre release 1401-0901 November 2014:
- Visa Cloud Payments : Complete November 2014 (1401-0901)
payShield 9000 Pre release 1401-0903 February 2015- 1st Draft MasterCard Cloud Based Payments
payShield 9000 Pre release 1401-0911 December 2015- Full MCBP Support- American Express Expresspay - 1st Draft Discover
payShield 9000 Major Release 3.0 available now- Including all functionality above- Coming soon: Union Pay, Verve, Diners
Support for other card brands to follow
![Page 27: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/27.jpg)
27This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Tinkoff Bank!
![Page 28: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/28.jpg)
28This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
D8 & MTBank
![Page 29: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/29.jpg)
29This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thales, ready to go when you are
▌HSM functionality available off-the-shelfVisa, MasterCard and American Express variants supportedDedicated payShield 9000 functions – no additional development neededUpdate to PCI HSM certification in progress
▌Proven integration with leading HCE solutionsMajor solution providers have pre-integrated with payShield 9000Low risk, plenty of choice, superior support
▌Comprehensive consultancy, training and supportWe understand the cryptography necessary to support HCEWe can help your team get up to speed quickly with the overall system24 x 7 support is what we can offer you
![Page 30: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/30.jpg)
30This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Why Thales e-Security?
Banking Government Utilities High Tech Mobile
Automotive
Healthcare
Manufacturing
▌ Our track record. Over 40 years of leadership delivering data protection solutions around the world
▌ Our customers. We secure some of the world’s most valuable information and > 80% of payment transactions
▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography
▌ Our certifications. All our offerings are independently security certified - more than anyone else!
▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance
![Page 31: Cloud payments (HCE): a simpler step with Thales HSMs](https://reader036.vdocument.in/reader036/viewer/2022062503/58edf09a1a28ab78588b4653/html5/thumbnails/31.jpg)
31This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
HCE – your opportunity to take control of mobile payments
▌Terminals, schemes, customers and mobiles are ready for HCE
▌Working with Thales will make implementation quicker and secure
▌Thales is committed to securing HCE solutions ▌Download the whitepaper:
https://bit.ly/1ZYz5mn
▌Contact us via the websitehttps://www.thales-esecurity.com
▌Or contact me:[email protected] @simonkeates