cloud based payments: the future of mobile payments?

www.thales-esecurity.com OPEN

Cloud Based Payments: the future of Mobile Payments?SIMON KEATES, THALES E-SECURITYROB MACMILLAN, PROXAMA

2 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.

NFC Mobile Payments Evolution

▌Why are NFC payments growing?Global Smartphone adoption + consumers use for a range of purposesMandated contactless POS rollout worldwide – convenience and speedFinancial Institutions and Merchants driving mobile engagement

▌Mobile Payments Evolution

▌Where does this leave the issuer?With a potentially confusing and rapidly changing environmentOpportunities and strategic choices


▌Apple Pay, a Game Changer?Oct 2014 launch brought NFC payments to iPhonesSimple consumer enrolmentNew commercial model (15 bps to Apple)Big marketing campaign and rolloutApple in control – even had logo on POS

▌Collaborating rather than disrupting

Uses existing payment card railsUses established technology – EMV, NFCDrove card schemes to launch tokenisation services

▌X-Pays are followingSamsung Pay, Android Pay, etc.But it’s still early days

Apple Pay


▌What is Tokenisation?Protects cardholder by replacing the PAN with a ‘surrogate’ account number, a Token PANTransactions still pass through terminals, acquirers and networksToken PAN domain controls restrict useEMV Co published global framework in Mar 2014

▌Tokenisation scopeToken generationToken provisioning (with payment data) to phoneStoring Token/PAN mapDe-tokenisation for authorisations and clearing

▌Wider use of TokenisationMobile, Card on File, in-App purchasesProtecting other forms of data, e.g. healthcare

Tokenisation


HCE and Cloud Based Payments (CBP)

▌Host Card Emulation (HCE)Technology added in Android 4.4 in 2013Provides choice SE/TSM or HCEEnables an app to use NFC for paymentBut data and processing now in software

▌Cloud Based Payment (CBP)Initial deployments proprietarySchemes introduced standards for operation and security in 2014Transactions are EMV contactless, no changes to POS or networks

▌Consumer ExperienceIssuers can add payment to existing mobile banking appsConsumer uses something that is familiarProvisioning through simple option to add an existing card to the banking app


CBP layered security

▌Dynamic keysNew keys dedicated to CBP transactionsSingle or limited use keys, issuer controls key replenishmentAll transactions online

▌TokenisationToken PAN used instead of Card PAN to protect cardholder dataToken PANs only useable within ‘Domains’

▌Secure communications with mobile phoneKey exchange with mobile phoneAll critical keys and data supplied to phone in encrypted format

▌Application securityTools for tamper resistance and whitebox cryptographyCertification and penetration testing of apps


CBP deployments are spreading

Selected examplesRBC, CanadaBBVA, SpainCapital One, USAQIWI, RussiaTinkoff, RussiaBarclays, UK


Cloud Based Payment future

▌Value Added ServicesPayment on its own won’t drive adoption – consumers need incentivesIssuers can add mobile banking services, loyalty and marketing programmes

▌New types of issuersOther issuers can adopt CBP solutions, e.g. merchant closed loop cards, transit, loyaltyPayment capability could be added to existing apps, especially where issuer has control of the infrastructure

▌Convergence between in-store, on-line and in-app payment

Payment credentials on the phone can be used for more than in-storeCBP credentials can support payments from other apps on the mobile, e.g. enabling merchants to ‘payment enable’ their appsCBP credentials can be used for online ecommerce transactions simplifying and adding extra security


Issuer Choice: CBP and X-Pays

▌X-Pays

▌ ProsSupports a range of handsets (where service is available)Could provide value added services in futureCould leverage scheme tokenisation for multiple X-Pays

▌ ConsConsumer experience controlled by X-PayFuture development controlled by X-PayTokenisation service controlled by scheme, no ‘on-us’ transactions and possible future charges

▌Cloud Based Payments

▌ ProsIssuer retains branding and control of consumer relationshipIssuer can add services and customise consumer experienceIssuer can implement in-house solution and continue on-us processing

▌ ConsCBP not available on Apple devicesMay require more up front investment depending on solution


Conclusion

▌Mobile payments market is growingDriven by consumer demand, NFC smartphones and acceptance infrastructureX-Pays and schemes recognise this and are competing for control

▌Issuers have choiceAdopt X-Pays and/or CBPSelect scheme tokenisation and/or implement in-house

▌CBP puts issuers in controlBranding and customising consumer experienceProvision of in-house solutions

▌CBP is the futureAn increasing number of issuers are deploying solutionsCBP supports value added services and payment convergence


Contacts

▌Contact us via the websitehttps://www.thales-esecurity.com

▌Or contact me:[email protected]

▌Contact us via the websitehttp://www.proxama.com

▌Or contact me:[email protected]

https://www.thales-esecurity.com/

mailto:[email protected]

https://www.thales-esecurity.com/

mailto:[email protected]