hce driving nfc - mobey forum · hce driving nfc: from idea to reality to ubiquity mobey day...
TRANSCRIPT
HCE Driving NFC:From Idea to Reality to Ubiquity
Mobey DayOctober 7/8, 2014
M-PAYMENTS & NFC ADOPTION?
2
WHY SO SLOW?
3
The trend towards mobile
has set in everywhere else
Contactless card use and
acceptance are making
great strides
Other forms of mobile
commerce are picking up
Technical specifications,
certification programs and
supporting hardware have
all been available
CONSUMERS AREN’T BITING
4
Why haven’t they taken the bait?
CONSUMERS NOT TAKING THE BAIT
5
Awareness
Ease of adoption
User Experience
Acceptance
Security
Incentive/Value
BANKS / SPs NOT TAKING THE BAIT
6
Don’t want to give up control of
• Business Model
• Brand & Consumer Experience
• Technology & Roadmap
HCE INTRODUCED ALTERNATIVE
7
HOSTCARDEMULATION
HOST CARD EMULATION (HCE)
8
Traditional SIM SE Models: Host Card Emulation (HCE):
ADDRESSING MARKET NEEDS What HCE Delivered to the market
9
HCE IGNITED NFC IN 2014For Several Reasons…
10
Puts Service Providers back in control
Independence to act
Simpler deployment models
More attractive commercial models
Keep control over brand and wallet presence
Access the full consumer base
IS HCE SECURE… enough?
11
Tokenization
Limiting the use of
credentials and keys
Active and passive authentication
of device and cardholder
Added layers of security
• Hybrid: SE + Cloud
• Trusted Execution Environment
(TEE)
• Biometrics
WHAT IS TOKENIZATION?
12
9876
5432 8817
3104
Cardholder information is encrypted and converted to a “token” that is passed to
the merchant POS.
• No card data stored on the phone.
• No card data vulnerability at merchant
MR CARDHOLDER
1234 5678 9101 2345
(Cloud or SE)
9876
5432 8817
3104
No changes to
contactless POS
or merchant
acceptance
IMPACT OF APPLE PAY
13
Huge endorsement for Mobile Payments & NFC
Removes longstanding doubt:
• Uses existing NFC technology & POS terminals
• Works with schemes: MasterCard/Visa/Amex
Brings mass consumer exposure
Tokenization + Biometrics
MULTIPLE SECURITY STANDARDS
14
Apple Pay uses tokenization
+ embedded hardware SE
Multiple security models
(cloud & SE) will co-exist
Credentials managed by
Apple (SE owner) or Issuer
(Cloud SE owner)
Crypto validation & other
tokenization is effectively the
same
OEM SECloud/ Issuer
Owned SE
Scheme
Service
WHAT TO LOOK FOR MOVING FORWARDHCE, UICC, Embedded SE… all of the above?
15
Multiple Security Models will co-exist
Hybrid Solutions that combine hardware SE or
Trusted Execution Environment (TEE) will add
additional security to Cloud Payments / HCE
Biometrics for added authentication
Tokenization will be standard
Mobile Commerce = Remote + Proximity
Scheme services & standards
playing an increasing role in
ecosystem
16
IssuerPayment
NetworkAcquirerMerchant
Terminal
NFC Device
Cloud
New processing functions related to tokenization messaging (below in blue) according
to EMVco specifications.
Token
Service
Provider
De-Tokenize
NFC Data
• Token
• Token Exp. Date
• Token Requestor
ID
• POS Entry Mode
• Token Cryptogram
Optional Data
exchange via
the cloud
Request
• Token
• Token Exp. Date
• Token Requestor
ID
• POS Entry Mode
• Token Cryptogram
Request
• Token
• Token Exp. Date
• Token Requestor
ID
• POS Entry Mode
• Token Cryptogram
Request
• PAN
• PAN Exp. Date
• POS Entry Mode
• Token
• Token Exp. Date
• Token Requestor ID
• Token Assurance Level
Response
• PAN
Response
• Token
• PAN Product ID
• Last 4 digits of
PAN
• Token Assurance
Level
Response
• Token
• PAN Product ID
• Last 4 digits of
PAN
• Token Assurance
Level
TOKENIZATION REQUIREMENTS
ISSUER CONSIDERATIONS
17
Issuer
Security
Mobile Payment Application
TEE
Credential
ManagementToken Service /
Crypto Validation
Card
ManagementAuthorization
In-house /
outsource ?
Multi-platform
SE & Cloud
Multi-scheme
In-house / outsource ?
In-house / outsource ?
Scheme service?
Hybrid / TEE ?
Integrated?
Stand-alone?
Remote /
ProximityPIN /
Biometrics
Hardware
changes?Software
changes?
WHAT STILL NEEDS TO BE DONETo make mass-market adoption a reality?
18
Clear standards from all schemes for cloud
based payments & HCE
Clear certification process for all schemes
Cross platform consistency
Additional use cases : transit, access control,
ID etc.
Value Added Services
• Loyatly, coupons etc.
TECHNOLOGY + USER EXPERIENCE
19
Easy to adopt
Intuitive User Experience
Accepted everywhere
Rewarding user experience
Local / Targeted
CARTA :
20
Carta provides Digital Credential Management & Tokenization Services for Cloud
and NFC mobile payment deployments
21
14
ABOUT CARTAA Global Payment Technology Partner
CARTA OFFICES
CARTA DATA CENTERS
MARKET OPERATIONS
CARIBBEAN / LAC
TORONTO
SAN FRANSISCO
CASABLANCA
CANADA
UNITED STATES
UAE
EUROPE
LONDON
SCOTLAND
UK
AUSTRALIA / NZ
$50MM+ Invested in
Next-Gen Processing Platform
Marquee client HCE
deployments across 4
continents
Founded: 2007
HQ: Toronto, Canada
Privately Held.
Private & Institutional Investors