www.thales-esecurity.com Mobile Payments Applications and Challenges Jose Diaz Director, Business Development & Technical Alliances Thales e-security
2 / Verizon Data Breach Report
3 / Victim Industry Source: Verizon 2013 Data Breach Investigations Report
4 / Compromised Data Source: Verizon 2013 Data Breach Investigations Report
5 / Mobile Threats Global Overview 5.6 million potentially malicious files reported on Android, of which 1.3 million are confirmed malicious by multiple AV vendors Source: APWG White Paper: Mobile Fraud, May 2013
6 / Trustwave 2013 Global Security Report Key points on mobile device security Android platform continues to be the focus of malware In 2012, Trustwave s malware collection for Android grew 400%, from 50,000 to over 200,000 samples Malware also appeared in the Apple itunes Store All malware discovered was quickly removed Most notable being Find and Call - malware would upload a copy of the user s address book and send SMS spam to all contacts Several new variants of Zeus family targeting BlackBerry devices, primarily in Germany, Italy and Spain Windows 8 for mobile, released late October 2012. Not much seen in way of malware or exploits directed at this operating system, so far
7 / Does Anybody Care? Source: Advanced Payments Report 2013 Edgar, Dunn & Company, Sponsored by First Data
8 / MOBILE PAYMENTS
9 / Mobile Banking Mobile Banking Mobile Payments It is a direct relationship between you and your bank You can view your account balances You can pay bills but: Mostly, these are only to accounts you registered to pay directly (electric, phone, etc.) You can transfer money between your accounts Interac e-transfer enables you to send money to someone with an account in Canada You may be able to make a deposit by taking a picture of a check you want to deposit You cannot walk into a store and pay for purchases with a mobile banking application
10 / Why is Mobile Payments Interesting? CNN Money Mobile payments are expected to hit $214 billion by 2015. Transactions made by scanning a mobile phone at the register are forecast to reach $22 billion -- up from "practically none" last year.
11 / The Future Trend for Payments Source: RSR research, March 2013
12 / Who is Leading the Way? retailers are taking their leads from innovators PayPal and Google, whose success is driven not by service providers, but by consumers themselves Source: RSR research, March 2013
13 / The Traditional Payments View Traditional Four Corner Model defines a tightly controlled ecosystem Consumer s Cards Merchant s Systems Network Consumer s Bank Merchant s Bank
14 / Mobile Acceptance Expands the Model Traditional Four Corner Model defines a tightly controlled ecosystem Consumer s Cards Network Consumer s Bank Merchant s Bank
15 / Mobile Acceptance (mpos) EMV Magnetic Stripe
16 / PCI s View on Mobile Payments
17 / Benefit of PCI P2PE Acquirer Domain Payments network POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Reduces pain of audit compliance for merchant Eliminates card data from merchant environment Protects data from acceptance device to Gateway or Acquirer
18 / What About Mobile Acceptance (mpos) and P2PE? Smart Phone Or Tablet Acquirer Domain Payments network PCI-approved Secure Card Reader POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Enables transaction data security for mpos Eliminates card data from mobile device and merchant environment P2PE used to protect the data An important component for mpos transactions!
19 / MOBILE PAYMENTS
20 / Paying with Mobile Brings New Challenges Traditional Four Corner Model defines a tightly controlled ecosystem Consumer s Cards Merchant s Systems Everything stays the same - but Phones are insecure They are consumer controlled Network They can t be read in stores Consumer s Bank Merchant s Bank
21 / New Technologies to the Rescue Readability Near Field Communications (NFC) Standardized Format Mobile Wallets (apps that host payment credentials) Security Secure Elements (micro-hsms for phones)
22 / So Why Hasn t it Happened Yet? 1 st NFC phone Nokia 6131 (Feb 2006) Just unlucky or ill conceived? NFC is just a protocol not an experience Apple s iphone was launched only a year later (June 07) NFC requires POS terminals to be upgraded but few merchants were motivated (other than taxis and subways) Expected penetration from 8% in 2011 to 53% in 2017
23 / Expanded Ecosystem Several Cooks in the Kitchen Trusted Service Managers Mobile Wallet (TSM) Providers Mobile App Developers Handset Manufacturers Mobile Network Operators (MNO) The payments industry is no longer a private club Merchant s Systems Mobile Technology Providers Network Consumer s Bank Merchant s Bank
24 / Paying with Mobile in Canada CIBC and Rogers RBC and Bell Other Banks have announced they will offer NFC payments
25 / EXPANDING SECURITY OPTIONS IN MOBILE DEVICE
26 / Trusted Execution Environment (TEE) Separate execution environment running alongside OS to provide security services to Rich OS Higher level of security than a Rich OS Not as secure as a Secure Element (SE), but lower cost Offers layer of security between a Rich OS and a SE Addresses use cases with lower security requirements Security framework within the device Isolates access to its hardware and software security resources from the Rich OS and its applications Enforces protection, confidentiality, integrity, and access rights to the resources and data belonging to Trusted Applications Trusted Applications independent of each other, cannot perform unauthorized access to security resources from other Trusted Application Source: Global Platform s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
27 / Architecture of the TEE Source: Global Platform s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
28 / Rich OS, TEE and SE Positioning Rich OS, TEE and SE Positioning Security positioning for TEE compared to Rich OS or a SE Source: Global Platform s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
29 / Summary Risk of data compromise is still high in the market Protection of payment card data is important Mobile devices are also targets for malware No question mobile is area of interest for payments mpos has been primary driver for mobile use Has caused disruption in the payments environment Whether acceptance uses traditional terminal or mobile device, there is need for protecting data Actually, even more important for a mobile device Use of P2PE helps protect payment data Payment with mobile devices brings challenges Banks in Canada have deployed NFC payment options Global Platform has introduced more security options Security is an essential part of deployments to ensure customer confidence Customers expect it!
30 / Any Questions?