HCE Driving NFC:From Idea to Reality to Ubiquity

Mobey DayOctober 7/8, 2014

M-PAYMENTS & NFC ADOPTION?

2

WHY SO SLOW?

3

The trend towards mobile

has set in everywhere else

Contactless card use and

acceptance are making

great strides

Other forms of mobile

commerce are picking up

Technical specifications,

certification programs and

supporting hardware have

all been available

CONSUMERS AREN’T BITING

4

Why haven’t they taken the bait?

CONSUMERS NOT TAKING THE BAIT

5

Awareness

Ease of adoption

User Experience

Acceptance

Security

Incentive/Value

BANKS / SPs NOT TAKING THE BAIT

6

Don’t want to give up control of

• Business Model

• Brand & Consumer Experience

• Technology & Roadmap

HCE INTRODUCED ALTERNATIVE

7

HOSTCARDEMULATION

HOST CARD EMULATION (HCE)

8

Traditional SIM SE Models: Host Card Emulation (HCE):

ADDRESSING MARKET NEEDS What HCE Delivered to the market

9

HCE IGNITED NFC IN 2014For Several Reasons…

10

Puts Service Providers back in control

Independence to act

Simpler deployment models

More attractive commercial models

Keep control over brand and wallet presence

Access the full consumer base

IS HCE SECURE… enough?

11

Tokenization

Limiting the use of

credentials and keys

Active and passive authentication

of device and cardholder

Added layers of security

• Hybrid: SE + Cloud

• Trusted Execution Environment

(TEE)

• Biometrics

WHAT IS TOKENIZATION?

12

9876

5432 8817

3104

Cardholder information is encrypted and converted to a “token” that is passed to

the merchant POS.

• No card data stored on the phone.

• No card data vulnerability at merchant

MR CARDHOLDER

1234 5678 9101 2345

(Cloud or SE)

9876

5432 8817

3104

No changes to

contactless POS

or merchant

acceptance

IMPACT OF APPLE PAY

13

Huge endorsement for Mobile Payments & NFC

Removes longstanding doubt:

• Uses existing NFC technology & POS terminals

• Works with schemes: MasterCard/Visa/Amex

Brings mass consumer exposure

Tokenization + Biometrics

MULTIPLE SECURITY STANDARDS

14

Apple Pay uses tokenization

+ embedded hardware SE

Multiple security models

(cloud & SE) will co-exist

Credentials managed by

Apple (SE owner) or Issuer

(Cloud SE owner)

Crypto validation & other

tokenization is effectively the

same

OEM SECloud/ Issuer

Owned SE

Scheme

Service

WHAT TO LOOK FOR MOVING FORWARDHCE, UICC, Embedded SE… all of the above?

15

Multiple Security Models will co-exist

Hybrid Solutions that combine hardware SE or

Trusted Execution Environment (TEE) will add

additional security to Cloud Payments / HCE

Biometrics for added authentication

Tokenization will be standard

Mobile Commerce = Remote + Proximity

Scheme services & standards

playing an increasing role in

ecosystem

16

IssuerPayment

NetworkAcquirerMerchant

Terminal

NFC Device

Cloud

New processing functions related to tokenization messaging (below in blue) according

to EMVco specifications.

Token

Service

Provider

De-Tokenize

NFC Data

• Token

• Token Exp. Date

• Token Requestor

ID

• POS Entry Mode

• Token Cryptogram

Optional Data

exchange via

the cloud

Request

• Token

• Token Exp. Date

• Token Requestor

ID

• POS Entry Mode

• Token Cryptogram

Request

• Token

• Token Exp. Date

• Token Requestor

ID

• POS Entry Mode

• Token Cryptogram

Request

• PAN

• PAN Exp. Date

• POS Entry Mode

• Token

• Token Exp. Date

• Token Requestor ID

• Token Assurance Level

Response

• PAN

Response

• Token

• PAN Product ID

• Last 4 digits of

PAN

• Token Assurance

Level

Response

• Token

• PAN Product ID

• Last 4 digits of

PAN

• Token Assurance

Level

TOKENIZATION REQUIREMENTS

ISSUER CONSIDERATIONS

17

Issuer

Security

Mobile Payment Application

TEE

Credential

ManagementToken Service /

Crypto Validation

Card

ManagementAuthorization

In-house /

outsource ?

Multi-platform

SE & Cloud

Multi-scheme

In-house / outsource ?

In-house / outsource ?

Scheme service?

Hybrid / TEE ?

Integrated?

Stand-alone?

Remote /

ProximityPIN /

Biometrics

Hardware

changes?Software

changes?

WHAT STILL NEEDS TO BE DONETo make mass-market adoption a reality?

18

Clear standards from all schemes for cloud

based payments & HCE

Clear certification process for all schemes

Cross platform consistency

Additional use cases : transit, access control,

ID etc.

Value Added Services

• Loyatly, coupons etc.

TECHNOLOGY + USER EXPERIENCE

19

Easy to adopt

Intuitive User Experience

Accepted everywhere

Rewarding user experience

Local / Targeted

CARTA :

20

Carta provides Digital Credential Management & Tokenization Services for Cloud

and NFC mobile payment deployments

21

14

ABOUT CARTAA Global Payment Technology Partner

CARTA OFFICES

CARTA DATA CENTERS

MARKET OPERATIONS

CARIBBEAN / LAC

TORONTO

SAN FRANSISCO

CASABLANCA

CANADA

UNITED STATES

UAE

EUROPE

LONDON

SCOTLAND

UK

AUSTRALIA / NZ

$50MM+ Invested in

Next-Gen Processing Platform

Marquee client HCE

deployments across 4

continents

Founded: 2007

HQ: Toronto, Canada

Privately Held.

Private & Institutional Investors

THANK YOU.

Contact:

Giles Sutherland, VP Strategic Alliances:

gsutherland@cartaworldwide.com

22