emvco: global specifications for secure mobile transactions...2015/10/07 · •expanded token use...
TRANSCRIPT
EMVCo: Global Specifications for Secure Mobile Transactions
Brian Byrne, Director of Operations, EMVCo
8 October 2015
Copyright ©2015 EMVCo 2
Agenda
Introduction to EMVCo
• Payment Tokenisation
• Level 1 Handset Approval
• Software Based Mobile Payments
NFC Related Initiatives
Industry Engagement
Introduction to EMVCo
Copyright ©2015 EMVCo 4
EMVCo’s Mission
To facilitate the worldwide interoperability and acceptance of secure
payment transactions by managing and evolving the EMV
Specifications and related testing processes
Copyright ©2015 EMVCo 5
Scope
EMV Contact Chip Spec
EMV Chip Terminal Type
Approval Process
Interoperability Management
CCD / CPA EMV Chip Specs
EMV Chip Security
Evaluation & Card Type Approval
Contactless & Mobile
Next Generation
Terminal mPOS, Security &
Integration Task Forces
Tokenisation 3D-Secure 2.0 Next…
Copyright ©2015 EMVCo 6
Roles of EMVCo and Payment Systems
EMVCo
Manage and evolve EMV Specifications
Perform product testing & certification
Enhance payment security
Support emerging payment technologies
Global, Regional and Domestic Payment Systems
Product development
EMV mandates
Commercial incentives
Fraud liability shift policy
Payment Tokenisation
Copyright ©2015 EMVCo 8
Overview of EMV Payment Tokens
EMV payment tokens further enhance security of digital payments and simplify purchase
experience when shopping on mobile, computers or other smart devices
Replaces a traditional card account number with a unique
payment token
Restricts the use of a payment token by device, merchant, transaction type or channel
Fraudulent activity reduced because:
Payment token is limited to a specific acceptance
domain
Payment token can be unlinked from card account number as
required
Card account numbers are less available for
compromise
Copyright ©2015 EMVCo 9
One Example of the Payment Tokenisation Process
Mobile/
Digital Wallet
Interaction
Cardholder
Authorisation
Request:
• Token
• Token Exp. Date
Merchant Acquirer
Authorisation
Response:
• Token
Issuer
Authorisation
Request:
• Token
• Token Exp. Date
Authorisation
Response:
• Token
Authorisation
Request:
• PAN
• PAN Exp. Date
• Token + Token
Exp. Date
Token Vault
Payment Network
De-Tokenise
Token Service Provider
Copyright ©2015 EMVCo 10
Focus of EMVCo’s Payment Tokenisation Activity
Key elements of the new specification include:
New data fields to provide richer information about the transaction
Consistent approach to identify and verify a consumer before
generating the token
The EMV Specification will:
Ensure broad-based acceptance of a token as replacement for a card
account number
Enable participants in the existing ecosystem to route and
authenticate a payment token
Improve payment card security with tokens that are limited for use in
specific environments
Requirements for Token domain restriction controls to prevent token
misuse
Copyright ©2015 EMVCo 11
Examples of Token Activity
Card-on-File
MerchantDigital Wallet QR and Bar Code
Merchant uses tokens
in lieu of PANs in
card-on-file database
Branded Digital Wallet
presents “Pay with
Wallet” in front of card-
on-file
QR or Bar Code
supplier put a “bar-
code” in front of
card-on-file
NFC
Tokens in NFC
device
Broad proliferation of models (remote and proximity) has accelerated token usage:
EMV Chip
Tokens in EMV
chip device
Card #4
Card #3
Card #2
Card #1
Copyright ©2015 EMVCo 12
EMVCo Payment Tokenisation Roadmap
2015 Goals
Q1-3 2015
TSP registration & listing programme
management:
• List and registration process to be made
available on the EMVCo website
• Ongoing work with PCI SSC for investigation of
industry standard TSP security requirements
2015 - 2016
Payment Tokenisation Specification –
Technical Framework Updates:
• Clarifications – including more clarity on
assurance levels and aggregator concept
• Payment account reference (PAR)
• Expanded token use cases – transit, EMV chip
card offline, 3rd party TSP, ATM, split shipment,
receipt-less returns.
2015 - 2016
Ongoing industry engagement:
• Regional payments bodies
• Global standards bodies
• Merchants, processors, issuers, acquirers
• Payment innovators and others
2015 Goals
Tokenisation Engagement Opportunities:
• Oct 15: Seminar | Barcelona, Spain
• Nov 3: Seminar | Jakarta, Indonesia
• Nov 4: Webinar in conjunction with SCA
Copyright ©2015 EMVCo 13
Handset Approval
Copyright ©2015 EMVCo 14
Mobile Payment Products Level 1 - Test Coverage
Mobile Payment Products
NFC Controller
Host CPU (SoC)HCE
UICC eSE
EMVCo test coverage
Phase 1
- Analogue and Digital
Phase 2
- Performance- Impact of the mobile device on the transaction duration
- Interoperability - Compatibility with terminals in the field
- Validation is a subset of interoperability (terminals and positions)
Copyright ©2015 EMVCo 15
• The purpose is to permit product providers to submit their products to a single type approval process.
Mobile Payment Products Level 1 - Test Coverage
EMVCo Phase 1
Mobile with eSE or UICC
TA for Mobile with UICC TA for Mobile with eSE
TAS for Mobile with UICC TAS for Mobile with eSE
1 certification for each Payment System1 TAS for each EE in the Mobile Product
Certified by Payment System 1
Certified by Payment System 2
Certified by Payment System 3
EMVCo Phase 2
Mobile with eSE, UICC and HCE
TA for Mobile with UICC, eSE & HCE
Certified by EMVCo
One single certification by EMVCo
LOA for Mobile with UICC, eSE & HCE
Copyright ©2015 EMVCo 16
Software Based Mobile
Payments
Copyright ©2015 EMVCo 17
• Payment transactions where the consumer device is a connected mobile device such as a mobile phone and the card credentials are stored in an application located in the Rich Execution Environment (REE) or in the Trusted Execution Environment (TEE) of the device.
– Does not involve any Secure Element (SE) in the device.
• The card credentials in such an application are referred to as a 'Software Card'.
Software-based Mobile Payments: What is it?
Copyright ©2015 EMVCo 18
• 2 main use cases for Mobile Transactions:
– Contactless Payment, using Host Card Emulation (HCE)
– Remote Payment
• Assumption: for contactless payment, interface towards merchant are not impacted by Software-based Mobile Payments
• EMVCo’s initial focus is the Contactless Payment use case
Software-based Mobile Payments: Use Cases
Copyright ©2015 EMVCo 19
• Host Card Emulation now enabled on many devices
– Available from Android version 4.4 (Kitkat), and endorsed by many OEMs
– Easy deployment on mobile devices
• Deployment fully under the control of Mobile Payment Application Provider – independently from mobile device OEM and MNO
• User downloads application from Application Store
• All-in-one application (Card Emulation + User Interface)
Software-based Mobile Payments: Why?
Copyright ©2015 EMVCo 20
• REE and TEE represent a different risk model (compared to SE). Therefore Software-based Mobile Applications must employ risk mitigation techniques:– Make credentials in mobile application unattractive to attackers
• Tokenization of the associated physical PAN
• No storage of highly sensitive assets– only limited value credentials are present (e.g. short-lived data)
• Best effort to sandbox and obfuscate credentials (e.g. whitebox encryption)
– Increase use of authorisation system and back-end processing capabilities
• Online-only transactions
• Strong fraud monitoring (e.g. duplicate transactions)
• Possibility of instant disablement
Software-based Mobile Payments: Constraints
Copyright ©2015 EMVCo 21
• Security Requirements of Mobile Payment Application:– Objective: protect the payment credentials inside the Mobile
Payment Application (both in use and in idle state)• Offer confidence to Issuers when they deploy Software Cards in a
third-party application
• Security Requirements of the provision protocol– Objectives:
• Protect the payment credentials when they are sent to the mobile payment application
• Ensure credentials are delivered to a duly authenticated mobile application
• Status• EMVCo initial evaluation of possible Security
Requirements/Guidelines. Coordinating efforts with PCI SSC and Global Platform.
Possible Areas for EMVCo Standardisation
Industry Engagement
Copyright ©2015 EMVCo 23
Engagement with Global Organisations
PCI SSC
Data Security
GSMA
Mobile
Applications
NFC Forum
Contactless
GlobalPlatform
Multi-
Application
Secure Platform
EMVCo
Security
Interoperability
and Emerging
Payments
Copyright ©2015 EMVCo 24
Engagement with Key Industry Stakeholders
Objective – Engage with regional and national bodies as needed to support the
continued migration to EMV technology
Other bodies
EMVCo
Security
Interoperability
and Emerging
Payments
Examples include:
Copyright ©2015 EMVCo 25
EAP Connects EMVCo to Industry Leaders
Benefits:
AccessEngage and connect
with EMVCo’s Executive
Committee, Board of Managers and
Working Groups
Insight Learn more about
EMVCo’s work programme,
including future initiatives
InfluenceContribute to the
future evolution of the EMV
Specifications by sharing expertise, experience and requirements
ForesightReceive advanced updates on EMV
Specifications and technical
amendments
Copyright ©2015 EMVCo 26
Thank You!For more information visit www.emvco.com or join us on LinkedIn