NFC Application Mobile Payments Public MobileKnowledge June 2014
Agenda Introduction to payments Card based payments Mobile based payments NFC based payments mpos solutions NXP Product portfolio Successful use cases 2
Introduction to payments From barter to mpayments The transfer of an item of value from one party to another in exchange for the provision of goods, services or both or to fulfill a legal obligation Payments are frequently preceded by an invoice and result in a receipt Neolithic Age 10.000 years ago Lydia (Turkey) 7th Century BC United States 20th century Worldwide 21th century Exchanging To change coin, money and banknote Provisioning To transfer money from one account to another 3
Credit Card based payments Evolution of plastic money Embossed Credit Card Payment data raised or relief in metal Easy to clone, data cannot be updated, short live Magnetic Stripe Credit Card Payment data is stored by modifying the magnetic particles of the magnetic band Easy to clone, data cannot be updated, short live Chip Credit Card Payment data is stored in high-secure tamper resistant ICs Impossible to clone, data can be updated on-demand, long live Contactless Credit Card Payment data is stored in high-secure tamper resistant ICs and accessed wirelessly Impossible to clone, data can be updated on-demand, very long live Purchases are completed in a faster and more intuitive way 4
Credit Card based payments Payment transaction 3- Auth request (transaction info) 4- Auth request (transaction info) 6- Auth response 5- Auth response Acquirer Bank $$$ Payment Network $$$ Issuer Bank 2- Card and transaction info 7- Transaction result Settlement Bank 1- Present Card Merchant Cardholder Offline operation Online operation 5
Credit Card based payments Payment card schemes Global Payment Card Schemes Magnetic Stripe RuPay: Rupee Payment PBOC: People s Bank of China EMVCo: Europay Visa MasterCard EMV Fraud Reduction numbers Europe (EMV Continent) 36% overall drop in fraud over 5 years UK fraud drops 69% over five years Fraud basic point drops 25% in France US (only non-emv G20 Country) $6.1 billion fraud losses in 2012 Potential $44.8 billion fraud losses over the next 5 years EMV migrating costs estimated at $8.6 billion 6
Credit Card based payments EMV Specifications EMVCo is currently governed by Visa, MasterCard,Amex, Discover, JCB & CUP EMVCo books define debit, credit and prepaid payment systems for IC based transactions EMVCo Contactless books provide extension for contactless transactions EMVCo defines two certification levels: Level 1: physical, electrical and transport level interfaces Level 2: payment app selection and credit financial transaction processing VSDC M/Chip 4 Others PayWave PayPass Others EMVCo 1, 2, 3, 4 books EMVCo Contactless A, B, C, D books ISO 7816 1/2/3/4/5 specifications ISO 14443 EMVCo Contact IC Stack EMVCo Contactless IC Stack 7
Credit Card based payments EMV Transaction Flow Cardholder Application Selection Identify mutually supported Application Identifiers (AID) Card Authentication Method Static, Dynamic or Combined Data Authentication Merchant Acquirer Bank Payment Network Issuer bank Card Verification Method Online PIN, Offline PIN, Signature, no CVM Card risk analysis Online / Offline transaction Validation by the card of the online processing Completion and script processing by IC POS risk analysis Online / Offline transaction Online Transaction authorization (optional) Offline operation Online operation 8
Credit Card based payments EMV Transaction Flow Cardholder Application Selection Identify mutually supported Application Identifiers (AID) Card Authentication Method Static, Dynamic or Combined Data Authentication Merchant Acquirer Bank Payment Network Issuer bank Card Verification Method Online PIN, Offline PIN, Signature, no CVM Card risk analysis Online / Offline transaction Validation by the card of the online processing Completion and script processing by IC POS risk analysis Online / Offline transaction Online Transaction authorization (optional) Sensitive Data is exchanged among entities through public networks Hardware and Software (POS, Routers, Firewalls, ) can be corrupted Offline operation Online operation 9
Credit Card based payments Payment Card Industry Security Standard Council The PCI Security Standard Council is focused on the security of the payment industry ecosystem The PCI Data Security Standard applies to entities that store, process or transmit cardholder data or authentication data 10
Credit Card based payments Summary Credit card payments and mobile payments have a lot in common Payments ecosystem is composed by the following entities The cardholder, the merchant, the issuer bank, the acquirer bank and the payment network Chip and PIN cards provide the most secure and convenient credit card solution EMVCo is the international standard for chip based credit cards. PCI Security Standard Council is in charge of the security of the whole ecosystem 11
Introduction to mobile payments Mobile payment schemes and market status Payment services performed from or via a mobile device Mobile payments adoption forecast Up to 20% of current retailing payments come from mobile channels. By 2020, 50% of transactions will be performed by a mobile phone. Four primary models for mobile payments Premium SMS based transactions Direct Mobile Billing Mobile web payments Near Field Communication (NFC) 12
NFC based payments The technology in a nutshell Payment data stored in our mobile device NFC enabled mobile devices used as payment cards Proximity communication and difficult to spy (2cm) Transactions are carried out in the same way No impact on security Compatible with current standardized infrastructure (POS) Advantages of a NFC phone compared to a card Processing power & memory Connectivity User interface Battery EMV Application Activation User Interface for Wallet applications Describes how to enable/disable payments applications from Wallet apps 13
NFC based payments Card Emulation configurations The NFC device can emulate a card using: Secure Element: high secure and tamper resistant microcontroller in the device, Widely deployed solution Form factors: usd, ese, UICC Host Processor: main processor of the device where the OS and applications reside The NFC Controller forwards each APDU according to its Routing Table App Processor (Host) HCI / NCI NFCC HCI / SWP NFC - WI SE 14
NFC based payments Secure Element based payments A specific IC to handle and store sensitive data Non-Volatile Memory Security CPU Crypto co-processors Protected through cryptographic keys Only authorized entities can access the SE Protected against tampering & attacks Secure IC validated by third parties certification, i.e. Common Criteria Same family of product as used in payment cards, e-passports Proven secure mass market products 15
NFC based payments Secure Element based payments - Specs GlobalPlatform specs define the management of multi secure applications and the messaging for the personalization, security key management and application loading on the SE Specs are independent of the final applications EMVCo is the standard for secure chip based payments Payments applications are certified together with the hardware and software on top of which they are executed JCOP 16
NFC based payments Secure Element based payments - Ecosystem Physical flow Logical flow MNO/Retailer Customer Silicon Manufacturer OEM Secure Element Manufacturer SE-TSM OEM MNO Service Prov SP-TSM Service Provider ese UICC usd 17
NFC based payments Card instantiation and selection procedure Activate / Deactivate Payments applets Update PPSE with new instantiated AID AAUI (Wallet) PPSE AID: 2PAY.SYS.DDF.01 MMPP Instance 1, Prio: 23 AID: A000000004101001 MMPP Instance 2, Prio: 21 AID: A000000004101002 Select 2PAY.SYS.DDF.01 A000000004101001, 3; A000000004101002, 2; A000000003201001, 1; TSM Creates and maintains instances of mobile payments applets Create applet Instance VMPA Instance 1, Prio: 30 AID: A000000003101001 VMPA Instance 1, Prio: 1 AID: A000000003201001 Secure element Select A000000003201001 18
NFC based payments HCE based payments Sensitive information is stored in the Host Processor or in the Cloud More memory available via host versus secure element Application/service providers and end users get (more) control Versus ese / UICC models under control of OEM s / MNO s It may accelerate the deployment of NFC services (Simpler ecosystem) more-simple-but-less-secure card emulation Endorsement of HCE payments by VISA and MasterCard EMV Payment Tokenization Specification (March 2014) Certification, a big job ahead 19
NFC based payments HCE based payments - Tokenization Token Merchant Tokenization: replacement of sensitive data with a unique identifier that cannot be mathematically reversed. PCI mandates PAN s not to be stored on non PCI DSS compliant devices Cardholder Auth Request Token Auth Response Token + Last4digPAN Acquirer Bank Must be monitored in real time, which forces always online authentication at POS Auth Request Token Auth Response Token + Last4digPAN Payment Network De-tokenization Token Service Provider Auth Request Token + PAN Auth Response PAN Issuer bank 20
NFC based payments HCE based payments - Ecosystem SE-TSM? Mobile Application Manager SP-TSM? HCE/cloud-based payments platform Issuer bank Traditional eco-system Payment Network Mobile Application HCE/cloud based payments Cardholder Merchant Acquirer Bank 21
NFC based payments SECE vs HCE Advantages of the SECE It is a provable secure solution Fully standardized Specs and Certification processes validated Well-known ecosystem Works with Offline POS infrastructure Meets timing requirements for POS redemption Advantages of the HCE It does not require specific hardware Issuer centric business model Ideal for small service providers Bigger memory capacity Full support of Android s API 22
mpos Solutions
mpos solutions Market status and forecast mpos adoption is expected to increase to 38 million by 2017, with a forecast CAGR of 42.7% largely driven by retailing sector By 2017, the adoption of mpos terminals over standard POS terminals will be 46% as opposed to the 17% in 2012. mpos proximity payment value $Billions 6 5 4 3 2 1 0 2012 2013 2014 2015 2016 2017 2018 Source: Payment Cards & Mobile 24
mpos solutions mpos system architecture Mobile is revolutionizing the traditional retail market Consumers and merchants increasingly interact in-store using tablets and/or integrated tablet systems mpos devices require a connection with another mobile device, be it a handset, tablet, or PDA. MagStripe HW Contact reader IC Contactless reader IC MAIN CONTROLLER UNIT PMU Secure Bat Battery Display Keypad Ext Memory SRAM, Flash 25
mpos solutions Specifications and Certifications mpos terminal requirements to be EMV Certified Contact & Contactless Level 1, Level 2 mpos terminal requirements to be PCI Certified PCI Data Security Standard (DSS) PCI Payment Application (PA) Data Security Standard (DSS) PCI Pin Transaction Security (PTS) PCI Pin Transaction Security (PTS) for Point of Interaction (PoI) PCI Point to Point Encryption (P2PE) Certification is completed by independent labs according to Visa and MasterCard Partner programs 26
NXP Portfolio for Mobile Payments
Mobile NFC ICs NFC Controllers + Secure Element NFC Controllers PN547 EMVCo 2.0 compliant 50% smaller footprint 50% power consumption reduction Cortex M0 uc SWP interface supported Largest operating range PN65T Stacked IC solution including PN547 and Smart MX2 (P61N1M3) JCOP3.0 28
NFC Reader ICs Low cost RF front-end IC NFC compatible with FeliCa, NFC-IP1, ISO/IEC14443 A & B support Full NFC device (Read/Write, Card Emulation, full P2P) Dedicated booster for EMVco (VISA, MASTERCARD) RF compliant Highest RF output power front-end IC paired with intelligent low power card detection Support of all major 13.56 MHz standards NFC-Ready device (Read/Write, P2P Passive Initiator) EMVco (VISA, MASTERCARD) RF compliant without dedicated booster 29
Successful Use Cases
ISIS Mobile Wallet Secure Element based Mobile Wallet Joint Venture among AT&T, T-Mobile and Verizon Wireless Submit payment and loyalty information in only one tap Visa, MasterCard, Amex, Barclaycard US and Discover Network SIM/UICC is used as the Secure Element Users can remotely suspend their account in case of loss Commercial launch in the United States 31
Bankinter & BRC Mobile Wallets HCE based Mobile Wallet Spain-based Bankinter bank together with Spanish Seglan company has developed a HCE solution for EMV payments Risk assessment' process performed by Fraunhofer AISEC laboratory Bank Royal of Canada has introduced an NFC mobile payments service that stores customer s cards details in the cloud Its EMV-enabled Secure Cloud service uses the Secure Element to store tokens. 32
Google Wallet Moving from SE to HCE based Wallet Google Wallet version 1.0 Released in September 2011 Google, MasterCard, Citibank and NXP joined the project All credit card information stored in the SE Google Wallet version 1.5 Released in August 2012 Support for all major credit cards: Visa, American Express, Cards data stored in Google s highly secure servers A virtual card ID is stored in the SE, which is used for transactions Google Wallet version HCE Released in March 2014 Google goes HCE and ends support for physical SE 33
Conclusion
Mobile Payments Summary Mobile payments market share to significantly increase in the incoming years NFC based payments are compliant with traditional card based ecosystem Well-known ecosystem defined for many years Mobile devices provide new features EMVCo is the international standard for NFC mobile payments Two main configurations are available: SE and HCE based payments Mobile devices to be used also as mpos devices NXP is offering the widest portfolio in the market Successful mobile payment applications are already in the market 35
MobileKnowledge Thank you for your attention www.themobileknowledge.com We are a global competence team of hardware and software technical experts in all areas related to contactless technologies and applications. Our services include: Application and system Design Engineering support Project Management Technological Consulting Advanced Technical Training services We address all the exploding identification technologies that include NFC, secure micro-controllers for smart cards and mobile applications, reader ICs, smart tags and labels, MIFARE family and authentication devices. For more information Eric Leroux eric.leroux@themobileknowledge.com +34 629 54 45 52 36
NFC Application Mobile Payments Gorka Hernando (Speaker) / Eric Leroux (Host) Thank you for your kind attention! Please remember to fill out our evaluation survey (pop-up) Check your email for material download and on-demand video addresses Please check NXP and MobileKnowledge websites for upcoming webinars and training sessions www.nxp.com/products/related/customer-training.html www.themobileknowledge.com/content/knowledge-catalog-0 37