Technology in Retail Payment Innovations
Download
Report
Transcript Technology in Retail Payment Innovations
Technology in Retail Payment Innovations
Mobile Payment @ the POS
Jack Jania
SVP Gemalto
[email protected]
October 2012
Agenda
The changing POS payment environment
Mag-Stripe, EMV, NFC….
NFC - TSM ecosystem
NFC Payment examples
Conclusion
Every few decades, an industry gets hit by a
tsunami of changes
Issuer
U.S. Payments
Industry
Consumer
2011 Key Changes
•Isis announcement
REGIONAL
NETWORKS
•EMV Liability Shift
•Durbin Amendment
Merchant
Acquirer
GLOBAL
NETWORKS
3
The associations have a technology solution ready today
EMV 4.3
Compliant
Apps
VSDC
MChip
D-Pas
AEIPS
WLEMV
44
Agenda
The changing POS payment environment
Mag-Stripe, EMV, NFC….
NFC - TSM ecosystem
NFC Payment examples
Conclusion
Mag-stripe transaction
Issuer
authorization system
PAN, Expiry date,
Service code,
CVC/CVV
Mag-stripe data is read by the POS
The data is STATIC: identical for each transaction
CVC/CVV is the encryption of (PAN, Expiry date, Service Code)
using a key specific to that card. This key can be retrieved by the
issuer authorization system.
7/7/2015
Presentation title – Security level Arial (10pt)
6
Magstripe transaction
Authorization
Request
PAN, Expiry date,
Service code,
CVC/CVV
(Amount, PAN,
Expiry date,
Service code,
CVC/CVV…)
Issuer
authorization system
The POS computes the authorization request and sends it to the
issuer authorization system
7/7/2015
Presentation title – Security level Arial (10pt)
7
Magstripe transaction
Authorization
Request
PAN, Expiry date,
Service code,
CVC/CVV
(Amount, PAN,
Expiry date,
Service code,
CVC/CVV…)
Issuer
authorization system
The authorization system performs risk management
It also checks the validity of the CVC/CVV by recalculating it using:
the (PAN, Expiry date, Service code) transmitted in the authorization request
the secret key associated to that card.
If the CVC/CVV is validated, the card is considered genuine
7/7/2015
Presentation title – Security level Arial (10pt)
8
Magstripe transaction
Authorization
Request
PAN, Expiry date,
Service code,
CVC/CVV
(Amount, PAN,
Expiry date,
Service code,
CVC/CVV…)
Issuer
authorization system
Authorization
Response
Approved /
Declined
The authorization response is sent back to the POS.
7/7/2015
Presentation title – Security level Arial (10pt)
9
Mag-stripe transactions
Mag-stripe cards are easy to clone
Card authentication is based on STATIC data
Cloned cards will be considered authentic, since they
carry the same data as real cards
7/7/2015
Presentation title – Security level Arial (10pt)
10
EMV Contact & Contactless Cards
Mag-stripe on the back
EMV Chip
Contactless
Antenna inside
Mag-Stripe vs EMV transactional data
000000000000000000083902014A200228830C8859DE1F37E74D8B657FB70D110108002C035400BA038001C0003200000E16181E20242A8488A8AEB2CADADC000000621C73100803
8400621C5A0808038400621C4108080384006216030003030000621DFA0008038400621F8804020480006214500002020000621084040204000062149500010480006205F500060480006
2116D00030200006212610003028000621CAC0008038400621E6600080384000000000000000000000000000000000062196B0062017B0062049C006206930062073C0062097D00620A1
800620A5E00620B3700620B3B00620E5F00620ECB00621EF50062218C006222350000000000000000000021E921AB21A721E521C2219E03800380043A0756075B07880C880080043A1
05A00C004BA185A057A5A000005FA005A000005FA005A05FA05FA00002020200005010100000110160600010000558988FFA00000000410100062000000000000000000000000000000
14145A1000000351080000005A554E2003040000EA60004E200F0000000000000000000000000000000000067A0A16051316232636000000000000005A83C13175E543256125AB0EE34
F54EAA431EA2AE557264CC12A1F6E868A268994000000000000000062E0D0833DB0F19D15DC4C706DE3BCAB0000000000000000A291D970A2C20DF76EE60E022CB646C10000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000005AAD126F5A5A5A5A5A000000000000000000000000FF01000000000000000001000
05B6373B15ABED28E130038FCE57D5A752AD9B0CF98F50000000000000000241234FFFFFFFFFF00000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF5
A0000000000000000000000000000000000002B08400840001000000000250000000000007530000000030000030000000000000000000000000000000000 0000000000000008400000000
840000000084000000008400000000840000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000800000000019500019FB0039000C1001020118010100200101000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A19F27019F02065F2A02
9A039F36029F520600000000000000000000000000000000000000000000000000000000D55502F60200D6550295029F1455029D019F235502AA0100CA5502970600CB5502A40600C45
502FB0300C55502FE0300C35502F80300C95502910200D15502C3199F4F9503541100C85502930200945603042000825603010200C75502900100D35502DC1200D7550324039FA1550
2AB069FA25502BD0600CD55032A0300CE55032D0300CF5503270300DE9502740900D95603332000D8560330029FA75503530100DA5602F20200DB5602F40200DC5602EE0200DD56
02F0028577C46B600E5D1ECC0FE9EB0F42B13E15FEA9F7479A0F3217C4BCD742108178D9FB07D11F32A2426098F1328BF92E6CCEF353D1FD4386C68DDD9B9EA1EEAB978E5B8
B3074BB128D07F50B207148DEAAD0C034B755ED83A38BD82B2A74D69CE1E65F0B9E7454BE9224FB65AA859BEA5DFBBEAB631A51FB1F5F54E16F3934C8DFC833A6A110158BAE
3217DEE096E409DD20FDFEF2EB6716CB23A71B42E318C23546F88BB9AECBF36390E569CBD1F5C5A3366CFDBAFBE54A29D4CC696DF2E60163D58950C8AF189BD38BEF90B0A9
ED4E0039204F1300E4457551C440BFAF41EB52D98E916DAE7F1DDB3779187FC869DF8CF99E0114A77AF8AF0EFF5226D5CF2D4F9E8C2A50FF6B6FD1E4AEFA2C2308570DB42925
8FCEF9C41632B76BB3A85F5F9C58B15DC022E4D24CD6FA60209F8794C2BE1A7C11DBD2DAFBDF6D8E7A5E7293E4A6FE5C7543EE99376B5FB7CD702AF3E93D3B35677B1F6EDD
991B1CB9AFA76A2A5FBAB440926BC82AC3DAD41C7993EE7AADCB7F2155D0AC417092713E4209C6B4EF252DD204CE8DF2FC9DB8F557DB74BD409D2B5F948ECC076CF453E991
A388B3F69EF827FAC9B952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D48D00000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000004141C243C0774076B077C076E0780077007840772020102010101010101078800FF088800FF098800FF0A8800FF0B8800FF867081835F25031101125F2403
1312319F0702FF005A0855898800000000015F3401018E10000000000000000042015E0342031F039F0D05B8508C88009F0E0500000000009F0F05B8708C98005F280208409F4A01828
C219F02069F03069F1A0295055F2A029A039C019F37049F35019F45029F4C089F34038D0C910A8A0295059F37049F4C0800000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000033703157135589880000000001D13122019990000000001F5F200B5354524F55442F4A4546469F080200029F420208409F440102000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C37081C08F01F39081902E9E82DF912E0C73BD3C3F7
7A530A70998DB353D61651CE91623F20FA97938001E23C32A1BBDB33B99F04D7BA496E2C205FAAD841358418B47BD39671D88957ECF4AF08D6C13F1B7EBA6BF21A893A3F34699
78D43DB7634D5CAA1C15396242B99BE3988B7A5CF2B44288E9FF29097AF02D9A61B6C27CE89390A94F738772811713ED38F1F5D29122FB824DFC7701CF2B92242B97330BA4E9A
6F288D450D98F9BB36D9ABF001EEF883F51D99B683ADD8EBE99577E83C99F3201030000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000BE7081BB9F468190144F280DB621BE009632BF0CD887BFC885DC62885BA2CCC951D7DEDA9B34B7CDC07BC822D5D6CB555F5B
881141F57069D4E779FE8A85BDBFE69801BAB48385D75BEE0D4806AA9A20141B70574B58342205DC344B8BB4D94909B4EA3996A9372B9E4044537FA2E0FC3A26BAEABAFEBCEE
1060E3DE4D1A2319D277AFB0732602D4F2353A955868D21C9C5394A74D98F7AE9F4701039F481AB952237C92A10BC1A6FC2CE80E8F0257A24DDAD08E74E145D48D9F49039F370
400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001F701D9F5501F09F561
60180007FFFFFF00000000000000000003000FF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000001761154F07A0000000041010500A4D41535445524341524400296F278407A0000000041010A51C500A4D4153544552434152448
701015F2D02656EBF0C059F4D020B0A00000000
%B5268xxxxxxxxxxxx^Smith/John^11012011660
4000000000000000000000?
;5268xxxxxxxxxxxx=11012011660400000000?
EMV chip transaction – Online
Card data
Issuer
authorization system
Amount, currency, …
Transaction initiation: POS and card exchange data
Track 2 equivalent data
Card settings and capabilities
Transaction data (amount, currency, date, etc)
…
7/7/2015
Presentation title – Security level Arial (10pt)
13
EMV chip transaction – Online
Card data
Amount, currency, …
ATC, ARQC, …
Issuer
authorization system
Card generates an Authorization ReQuest Cryptogram (ARQC).
ARQC is the encryption of card and terminal data using a secret key
specific to that card. This key can be retrieved by the issuer
authorization system.
ARQC is a DYNAMIC cryptogram: it is different for each transaction
7/7/2015
Presentation title – Security level Arial (10pt)
14
EMV chip transaction
ATC is a transaction counter
ATC
Amount
Currency
Date
…
It is incremented for each
transaction
The card will never
generate the same ARQC
value twice
3-DES
ARQC
7/7/2015
Presentation title – Security level Arial (10pt)
15
EMV contact transaction – Online
Card data
Amount, currency, …
ATC, ARQC, …
Authorization
Request
Issuer
authorization system
(Amount, PAN,
ATC, ARQC…)
Authorization request is sent to the issuer authorization system
Same data as a mag-stripe transaction
Additional EMV data
7/7/2015
Presentation title – Security level Arial (10pt)
16
EMV contact transaction – Online
Card data
Amount, currency, …
ATC, ARQC, …
Authorization
Request
Issuer
authorization system
(Amount, PAN,
ATC, ARQC…)
The authorization system performs risk management
It also checks the validity of the ARQC by recalculating it using:
the data transmitted in the authorization request
the secret key associated to that card
If the ARQC is validated, the card is considered genuine, and there is a
guarantee that the transaction data has not been tempered with (amount, …)
7/7/2015
Presentation title – Security level Arial (10pt)
17
EMV contact transaction – Online
Card data
Amount, currency, …
ATC, ARQC, …
Issuer’s decision, ARPC
Card’s final decision
Authorization
Request
Issuer
authorization system
(Amount, PAN,
ATC, ARQC…)
Authorization
Response
(Approved / Declined,
ARPC, …)
Issuer host generates an authorization response
Response may include an Authorization ResPonse Cryptogram that
authenticates the issuer and the issuer decision. The card may
validate the ARPC before giving its final decision.
7/7/2015
Presentation title – Security level Arial (10pt)
18
EMV contact transaction – Online
Card authentication is based on DYNAMIC data (ARQC)
generated by the card secret key
Card secret key cannot be retrieved from one card and
duplicated onto another card
7/7/2015
Presentation title – Security level Arial (10pt)
19
Introduction to NFC
What is Near Field Communication?
•
Short range wireless (<4 cm); Low speed (<424 kbits/sec)
•
User friendly & simple (no discovery, no pairing, just “tap”)
•
Passive capability (one of the devices can be unpowered)
NFC has 3 modes:
1. Card Emulation allows a mobile phone to simulate a physical contactless card
2. Reader/Writer allows reading or writing information to or from a passive tag/poster
3. Peer-to-Peer allows bidirectional communication between devices
20
Anatomy of an NFC Smart Phone
NFC phones contain special hardware
Phone
Processor
Secure Element: Stores sensitive data (like payment card
information)
Secure
Element
NFC Controller: Manages traffic and RF signals
NFC Antenna: Collects & transmits the RF
NFC
NFC hardware is supported by multiple cell phone
manufacturers
NFC
Antenna
NFC
Controller
21
EMV contactless and NFC transactions – Online
Card data
Amount, currency, …
ATC, ARQC, …
Issuer’s decision, ARPC
Card’s final decision
Authorization
Request
Issuer
authorization system
(Amount, PAN,
ATC, ARQC…)
Authorization
Response
(Approved / Declined)
Contactless and NFC transactions offer the same level of security as
contact transactions.
Contactless and NFC devices leave the field before the authorization
response is received by the POS.
Issuer actions can be performed:
Card: during the next contact transaction
Mobile phone: using the OTA (over-the-air) channel
7/7/2015
Presentation title – Security level Arial (10pt)
22
Agenda
The changing POS payment environment
Mag-Stripe, EMV, NFC….
NFC - TSM ecosystem
NFC Payment examples
Conclusion
NFC Ecosystem
Bank, Transport
Operators,
Merchants…
SP TSM Services
MNO TSM
MNO OTA
Platform
Mobile Wallet
Consulting
SE Applications
Contactless
Infrastructure
UICC & eSEs
NFC Phone
Micro SDs
24
Functional block flow diagram
Personalization
System
Tower
Phone
SE/MNO
TSM
Wallet (UI)
SP TSM
Reader
NFC
(Contactless Spec For Reader App)
SE
Data
Prep
Virtual Card
POS
Terminal
Merchant
Acquirer
Cardholder/
Authorization
Card Mgmt.
System
Transactional
System
25
25
Bank and Wireless Operator TSM
architecture
SP
SP
TSM 2
MNO
TSM 2
MNO
Custom Integration
based on the APIs of
MNO components
SP 1
Backend System
SP TSM
MNO TSM
MNO
Backend
systems
SP 2
Backend System
Gemalto Operation center
Banking Security Zone
Core TSM
In charge of NFC service
provisioning and management
Operator Security Zone
NFC Business Enabler
MNO’s control point, global view and
integration to backend systems
26
SP global
subscriber view
SP Security Domain
management
Application provisioning
and personalization
MNO global
subscriber view
Lock & unlock
Global SE control
X
SE & handset
replacement
Notifications
012...012
Post-perso (top-up,
counter reset …)
End of life
Single entry point
for any TSM
MNO TSM (Business Enabler)
Payment TSM
SDSP
SP-TSM and MNO TSM
Roles and responsibilities
Token management
27
27
Key Management
Service Interface
Little bit more detail
Bank
Mainframe /
Account
Management
Prepare and transfer
mobile card input file
NBE
TSM Certified Zone
MNO TSM 1
(Business
Enabler)
MNO 1
Backend System
Mobile EMV DP
Mobile
Customer
Workflow
Manager
Post-issuance event from
CMS or SVA / Customer
Service / Internet
Notification of post-issuance
events from customer
handset or MNO
Authorization System
OTP / Authentication
System
MNO TSM 2
(Business
Enabler)
MNO 2
Backend System
Gemalto Operation center
Key ceremony
Payment MKey
exchange
Key ceremony
CAP / Auth. Key
exchange
Bank backend systems
Controlling Authority
Payment
TSM
GP TSM
Messaging or
AFSCM API
Real time
transmission of
post-issuance
event from customer
handset (OTA
channel)
Post-issuance
events from backend (OTA channel)
Customer
Handset
One-off provisioning
Recurrent flow
Mobile EMV DP
Alternatively
supplied by
3rd party
For GP2.2A
SE only
28
28
Bank data is encrypted end-to-end during
transport
EMV Data
SCP02 (for SD)
03.48
secure OTA
EMV Data
Confidential Card Content Management (CCCM of GP standards)
Guaranty the confidentiality of application code, commands and data
exchanged OTA
Authorized Management
Levels for MNO and TSM SD separate in USIM
Enables a TSM to create new SD, download & personalize applications in
total freedom
Agenda
The changing POS payment environment
Mag-Stripe, EMV, NFC….
NFC - TSM ecosystem
NFC Payment examples
Conclusion
ISIS mobile & Card Payment Flow
– In-store transaction
1
In-store POS
(Merchant)
Merchant
acquirer
2
VISA
MasterCard
Amex Discover
Network
Issuing bank
3
Card Present Transaction
31
31
Google Wallet V2 – In-store transaction
Google becomes Issuer & Merchant
Merchant
acquirer
1
VISA
MasterCard
Amex
Discover
Network
MasterCard
Network
Card Present
Transaction
2
3
5
4
ISSUER
In-store POS
(Merchant)
MERCHANT
Google Cloud
Linked Card
Issuing bank
Card Not
Present
Transaction
Credit Card 1
Credit Card 2
Wallet ID
Credit Card 3
Credit Card ..
Issuer
Authorization
Host
Bank CMS DB
Wallet ID
(Google VC MC)
vs
Linked cards #
Merchant
Acquirer
Host
32
32
Conclusion
EMV infrastructure is much more secure than the existing
mag-stripe card infrastructure.
NFC mobile payment leverages existing EMV POS
methodology to enhance mobile payment security
Payment risk ownership will be predicated on the back
office model adopted by the mobile provider & Issuing bank
Technology in Retail Payment Innovations
Jack Jania
SVP Gemalto
[email protected]
October 2012
Gemalto (NYX:gto.pa) secures the lives of billions of people in
payments, mobile, governments/military & corporations
€ 2.1 billion revenue 2011
2011 revenue 2.1€ million
Innovation:
14 R&D centers worldwide
1,500+ engineers
107 inventions first filed in 2011
1,200 patent families
310
15 production centers
28 personalization facilities
74 sales & marketing offices
Experienced team:
10,000+ employees
100 nationalities
43 countries
981
531
M2M
Secure Trans
174
Global footprint:
Mobile Com
Security
Regional revenue
North & South
America
€ 580m
29% of revenue
Europe,
Middle East,
Africa
€ 1040m
Asia
€ 380m
19% of
revenue
52% of revenue
% of FY ’11 revenue
35