Click here to close now.

Welcome!

Web 2.0 Authors: Kevin Benedict, Carmen Gonzalez, Tim Hinds, Elizabeth White, Pat Romanski

Related Topics: Wireless, Microservices Journal, Web 2.0, iPhone, Security

Wireless: Article

Securing Mobile Payments

As the mobile payment industry continues to develop at lightning speed, best practices have yet to be solidified

As mobile phones become as indispensable as credit cards for purchasing goods and services, mobile payment developments are quickly gaining pace. Many different service providers are competing for their piece of the action. Within the last year, we have witnessed the arrival of mobile payment solutions such as MasterCard's PayPass, Google's Android-based eWallet scheme and Starbucks' emerging Quick Tap PayPass service.

A study from Juniper Research predicts that mobile contactless payment transactions are to reach nearly $50 billion worldwide in 2014 and NFC solutions will be used in 20 countries within the next 18 months.

However, with the widespread adoption of this technology, there is a need to debate which type of scheme works best and is the most robust.

Setting the Standard
As with traditional payments, standardization is vital. Several effective standards are already gaining momentum in delivering a secure mobile payments ecosystem:

  • Organizing Mobile NFC Services - The Trusted Service Manager (TSM) acts as an intermediary between Mobile Network Operators (MNOs) and third-party service providers that wish to offer additional services to subscribers. GlobalPlatform's ‘System Messaging Specification for Management of Mobile-NFC Services' defines the messaging between each of the three parties to guarantee secure ‘provisioning' of services to the device.
  • The SIM Alliance Open Mobile API - Applications utilizing the Secure Element (the cryptographically secured piece of hardware on newer mobile devices) to secure their critical operations, such as payments, banking or transport tickets, can have a component running within the device's operating system that ensures the user can securely interact with the keyboard/touch screen while enjoying a rich graphical user experience. The SIM Alliance Open Mobile API allows application developers to utilize additional security of the Secure Element more easily, be this in a UICC SIM, a dedicated Secure Element built into the device or a secure SD card, by providing a common means of interfacing with it.
  • Trusted Execution Environment (TEE) - The Secure Element cannot easily host apps with a highly developed or cutting edge user interface, but can look after critical data on the mobile handset. Applications that require complex user interactions must run on the device's primary processor. The TEE secures these apps; GlobalPlatform is leading the standardization and interoperability in this area to ensure that software and data are sufficiently protected. For example, payment apps that run their user interface in TEE and their transaction security in the Secure Element would have a particularly high level of security.

Such standards encourage the industry to work together and benchmark best practices, but they remain as fundamental elements of successful mobile payment security. It is also required that technology that makes the security of provisioning mobile payment applications is as safe as issuing cards, and designing the necessary infrastructure requires much needed consumer confidence.

Security Issues Prompt Consumer Fear
Consumer's perceived fear surrounding new mobile payments technology often looms around security. The lack in consumer confidence originates from the threat of information being intercepted during a transaction. Yet risks are prominent at every stage of the mobile payment life cycle, including how payment applications get onto a phone securely in the first place. Constructing the data needed to issue a payment application and generate the secure messages to personalize a handset can be a lengthy and inefficient process, and the various cryptographic functions pose the possibility that sensitive data is at risk of exposure.

This initial set-up process or ‘provisioning' usually takes place over-the-air (OTA). The process increases security risks due to the various parties involved - typically the payment application provider (usually a bank), a Trusted Service Manager, the Mobile Network Operator and the end user. A vital success factor is maintaining security throughout this procedure, ensuring that no data is compromised. Successful provisioning utilizes unique personalization keys to not only encrypt the loading of data onto a device, but also the succeeding transactions performed by the application.

Mobile Payment Security as Secure as Traditional Payment Cards
By implementing the newest cryptography methods, users can ensure that ‘provisioning' occurs securely with the same level of protection provided by traditional payment cards. Providers of physical cards tend to favor Hardware Security Modules (HSMs), which generate and secure the encryption keys crucial to managing issuance risk. This method is also relevant for provisioning services to a mobile phone and can significantly reduce the complexities associated with the process while simultaneously avoiding the weakness of keys stored in software. The primary benefit of an HSM is to secure encryption keys and sensitive data in a way that safeguards such data from exposure. With this method, service providers reduce risk.

While encryption is crucial to the security of mobile payments, it isn't the only answer. For a more comprehensive approach to optimize security, encryption and authentication must be combined to provide protection for data exchanges and authorizations.

Reducing Risk
As the mobile payment industry continues to develop at lightning speed, best practices have yet to be solidified. Operators and related parties are still unsure about who ultimately controls the mobile wallet. But one thing that is for sure is that security remains the primary hurdle most consumers can't get over.

Extinguishing this concern is no easy task; it requires a mixture of robust standards and best practices, accompanied with the right technical path to ensure the experience is safe from the second that a user opts to download a payment app. If businesses want to take advantage of the mobile payments, security needs to be at the forefront of their approach to mitigating risk and encourage comprehensive consumer adoption.

More Stories By Ian Hermon

Ian Hermon is Product Marketing Manager at Thales e-Security. He has more than 15 years’ experience in the payment industry, being responsible for the Thales portfolio of payment and transaction security products. He represents Thales on both the MasterCard Global Vendor Forum and Visa Europe Vendor Forum, is a member of the Smart Card Alliance Payments Council and the Smartex Smart Payments Forum Steering Committee. Ian also represents Thales as a participating organization on the PCI Security Standards Committee and is an EMV subscriber.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
Recent technology advances in miniaturization has positioned the wearables as the pinnacle of technology convergence with the human body. We inquire if wearables are mere standard miniaturized devices extended with the connectivity and present our views on considerations like design, applications, performance, efficiency, interoperability, usage scenarios, human device interaction and consequent trade-offs enabling wearables to impart optimal value.
In this session we look at creating interactive communications via the web by adding messaging, file transfer, and group communication (group chat and audio/video conferencing) into the web experience. We will also discuss potential applications of this technology in areas including B2B, B2C, P2P, and gaming. Peter is Technical Director at Acision. He graduated from The University of Edinburgh in 2000 with a BSc (Hons) in Computer Science. After graduation Peter worked on a PSTN switch developing signalling stacks for SS7, ISDN and similar protocols and creating advanced routing and serv...
The Internet of Things Maturity Model (IoTMM) is a qualitative method to gauge the growth and increasing impact of IoT capabilities in an IT environment from both a business and technology perspective. In his session at @ThingsExpo, Tony Shan will first scan the IoT landscape and investigate the major challenges and barriers. The key areas of consideration are identified to get started with IoT journey. He will then pinpoint the need of a tool for effective IoT adoption and implementation, which leads to IoTMM in which five maturity levels are defined: Advanced, Dynamic, Optimized, Primitive,...
SYS-CON Events announced today that AIC, a leading provider of OEM/ODM server and storage solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. AIC is a leading provider of both standard OTS, off-the-shelf, and OEM/ODM server and storage solutions. With expert in-house design capabilities, validation, manufacturing and production, AIC's broad selection of products are highly flexible and are configurable to any form factor or custom configuration. AIC leads the industry with nearly 20 years of ...
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements around Unified Networks, Cloud Computing strategies, Virtualization around Software defined Data Ce...
How is unified communications transforming the way businesses operate? In his session at WebRTC Summit, Arvind Rangarajan, Director of Product Marketing at BroadSoft, will discuss how to extend unified communications experience outside the enterprise through WebRTC. He will also review use cases across different industry verticals. Arvind Rangarajan is Director, Product Marketing at BroadSoft. He has over 19 years of experience in the telecommunications industry in various roles such as Software Development, Product Management and Product Marketing, applied across Wireless, Unified Communic...
As we approach the next @ThingsExpo, to be held June 9-11 at the Javits Center in New York, my thoughts naturally turn to the Internet of Things. The IoT is a leviathan—in the best possible sense of the term—that will sweep up most everything in the ocean of data and technology being created today and tomorrow. But rather than try to grasp all of its possible uses, for today I'm looking at “just” the Industrial Internet part. I just read a long paper co-authored by Tim Berners-Lee about the possibility of describing a “web science,” that is, discipline that combines the study involved ...
The best mobile applications are augmented by dedicated servers, the Internet and Cloud services. Mobile developers should focus on one thing: writing the next socially disruptive viral app. Thanks to the cloud, they can focus on the overall solution, not the underlying plumbing. From iOS to Android and Windows, developers can leverage cloud services to create a common cross-platform backend to persist user settings, app data, broadcast notifications, run jobs, etc. This session provides a high level technical overview of many cloud services available to mobile app developers, includi...
Enterprise IoT is an exciting and chaotic space with a lot of potential to transform how the enterprise resources are managed. In his session at @ThingsExpo, Hari Srinivasan, Sr Product Manager at Cisco, will describe the challenges in enabling mass adoption of IoT, and share perspectives and insights on architectures/standards/protocols that are necessary to build a healthy ecosystem and lay the foundation to for a wide variety of exciting IoT use cases in the years to come.
SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
The IoT Bootcamp is coming to Cloud Expo | @ThingsExpo on June 9-10 at the Javits Center in New York. Instructor. Registration is now available at http://iotbootcamp.sys-con.com/ Instructor Janakiram MSV previously taught the famously successful Multi-Cloud Bootcamp at Cloud Expo | @ThingsExpo in November in Santa Clara. Now he is expanding the focus to Janakiram is the founder and CTO of Get Cloud Ready Consulting, a niche Cloud Migration and Cloud Operations firm that recently got acquired by Aditi Technologies. He is a Microsoft Regional Director for Hyderabad, India, and one of the f...
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immediate and actionable interpretation of events as they happen. Another aspect concerns how to deliver ...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and easy to use. MangoApps has been named a "Market Leader" by Ovum Research and a "Cool Vendor" by Gartner...
SYS-CON Media announced today that @ThingsExpo Blog launched with 7,788 original stories. @ThingsExpo Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @ThingsExpo Blog can be bookmarked. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago.
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being software-defined – from our phones and cars through our washing machines to the datacenter. However, there are larger challenges when implementing software defined on a larger scale - when building software defined infrastructure. In his session at 16th Cloud Expo, Boyan Ivanov, CEO of StorPool, will provide some practical insights on what, how and why when implementing "software-defined" in the datacenter.