smart card to the cloud for convenient, secured nfc payment
TRANSCRIPT
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Smart Card to the Cloud for Convenient, Secured
NFC Payment
KONA I
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Who We Are?
Sazzadur Rahaman
Software Engineer and Team Lead @ KONA SL
Image Source: http://the9gag.com/top-rated/4am-programmer-room-4440
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Who We Are?
Md. Sanoar Hossain Khan
Senior Software Engineer and Development Project Manager
@ KONA SL
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Outline
Payment Systems in Action: A Bird’s Eye View
Moving Smart Cards to the Cloud: The Era of HCE
Birth of Kona Pay: A New Payment Platform in Town
A journey with Kona Pay: Joy of Smashing Challenges
Kona Pay into the Wild: From Korea to USA
Q/A
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Payment Systems in Action:
A Bird’s Eye View
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview – Transaction Flow
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
1
3
2
4
5
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Smart card
Magnetic Cards vs Smart Cards
Smart card components
Secure
IC
Chip
(SE)
Contactless Smart card
Secure
IC
Chip
(SE)
Magnetic Stripe Card
Open magnetic stripe
Service
applet
User
data
NFC
radio
User
data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Standard NFC Cards and Mobile-based Card
Same components in different form factor
Smart card
IC Chip
(SE)
Service
applet
User
data
SE
NFC
• SE Provider providing SEs (generally MNOs)
• Service Provider providing Services to the
consumers (generally Banks)
SWP
End-User
mobile
handset
Convenient than the other form factors
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Need for Trusted Service Manager
oManages Secure Element
o Arranges data exchange and business
relationships among stakeholders
oGenerates Security Domains (SDs).
Manages Keys used in generating SDs.
Service Providers can safely and
independently manage their services.
oMakes service provisioning simpler.
Therefore achieves services activation
in a short period of time
Trusted
Service
Manager
SE
Provider
1
SP 1
SE
Provider
2
SE
Provider
3
SP 2
SP 3
Service
applet
User
data
Service
applet
User
data
Service
applet
User
data
Still the ecosystem is more complex than previous
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Moving Smart Cards to the Cloud:
The Era of HCE
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
SE-less mobile card: Host Card Emulation
Concept of Host Card Emulation
Transaction processing before
HCE
Additional Option with HCE
With Google Android 4.4 and above, the NFC controller communicates with host OS first,
allowing it choose where to request applet and user data, and bypass the SE if required.
Service
applet
User
data
Secure
Element
Local storage
Internet
?
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Security via Tokenization
Issuer (Bank)
Token Server User’s PAN, expiry date etc.
Token
Token
Vault
Token
Generator User
mobile
1. Static Parameters
2. Dynamic Parameters
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Security via Tokenization
Token’s use during transactions
Issuer (Bank)
Token Server
User
mobile
User’s PAN, expiry date etc.
Token
Token
Vault
Token
Adapter
During a contactless payment transaction they travel through the POS to the Issuer system. The Issuer
sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid,
authorizes the transaction.
POS
Acquirer bank
Authorization
6
1
2 3
4
5
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Different flavors (models) of HCE
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
User data
Model—1
• Applet in Cloud
• User data and keys
in Cloud
Model—2
• Applet in OS
• User data and keys
in OS
Model—3
• Applet in OS
• User data in Cloud
Model—4
• Applet in OS
• User data in Cloud
• Token downloaded
to OS
Model—5 (SE-biased)
• Applet in OS
• User data in SE
Mobile Device
Mobile OS
HCE APIs
Service
applet
(agent)
NFC Controller
User data
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
Mobile Device
Mobile OS
HCE APIs
Service
applet (agent)
NFC Controller
Token
Mobile Device
Mobile OS
HCE APIs
Service applet
(agent)
NFC Controller
SE User
data
User
data
User data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Birth of Kona Pay:
A New Payment Platform in Town
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Issuer / Bank
In-store payment
using plastic card Online payment
Plastic card issuance Tokenization
Mobile Card Issuance
In-store payment
using Mobile card In-App Payment
Multiple business and technical arrangements
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Merchant: Online Fraud – Liability Shift
Fraud & Liability
• Potential Data Breech
Phishing, Key logging, etc.
Hacking Card on File (CoF)
Transaction data modification or interception
• Key Liability towards Merchant
Need to secure e-Store, CoF and Transaction
Online Shopping
• Manually enter Card info
User inconvenient
• Store Card info in online account
Merchant need to support Card on File (CoF)
• Online Transaction
Mag-stripe transaction
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
User
• Lots of Credit
Card, ID Card,
Coupons, etc…
• Different credit
card, different
PIN.
• Input credit card
information manually
• Trust Merchants with
Credit Card Info
• Insecure online
transactions.
• Multiple vouchers,
coupons, gift cards,
etc.
• Need to carry those
around physically.
• Longer card delivery
time.
• Card cloning.
• Constantly check for
suspicious transactions, notify
the bank.
• Hassle to block the card and
get a new one, also the
reimbursement of the money
from bank.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Converging Factors
Single Payment Platform
ALL
Form Factors
ALL
Provisioning Modes
ALL
Payment Modes
ALL
Security Measures
Plastic contact card
Plastic contactless card
N Card
SE (UICC, mSD, eSE)
Host card emulation
Central mass perso
Instant perso
SE/HCE OTI or OTA
SE/HCE (post) issuance
OTI/OTA
In-store: plastic cards
In-store: SE/HCE mobile
In-app: SE/HCE mobile
In-app/remote: plastic
contactless using NFC
EMV
Tokenized plastic card
Whitebox crypto, LDE
PKI
FIDO, TEE (in roadmap)
* N Card is dual interface plastic card, supports both contact and contactless, can store multiple credit cards,
gift/loyalty/coupons, transport card, etc., can be (post) personalized using mobile wallet and used to make in-store as well
as in-app transaction using NFC between the card and mobile.
** Tokenized plastic card does not store the original PAN inside, rather an alternate PAN which generates cryptogram for
the issuer to verify.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Converging Factors
Single Wallet
N Card SE (UICC, mSD, eSE) Remote Payment HCE
• N Card is dual interface plastic card
• Supports both contact and contactless
• Can store multiple credit cards, gift/loyalty/coupons, transport
card, etc.,
• Post personalized using mobile wallet
• Supports in-store and in-app transaction using NFC between the
card and mobile.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Payment Network
Acquirer
User
POS Remote Payment
Gateway
Mobile Application
TSM
Mobile Application Platform Cloud Platform
Voucher Issuance System Card Issuance System
Token Service Provider
Transaction Management System
Issuer CMS
Card
Components of Kona Pay
Service Manager
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Issuer Authorization
System
Service Manager
Card Issuance System (Data
Prep)
Raw Data
Issuer
Perso Machine
• Plastic Cards
Card Issuance System (Data
Perso)
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Issuer Authorization
System
Service Manager
Card Issuance System (Data
Prep)
Raw Data
Issuer
Perso Machine
Token Service
Provider
Secure Server
Tokenized Plastic Cards
Card Issuance System (Data
Perso)
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
Issuer Authorization
System
Cloud Platform
Service Manager
MAP Card Issuance System (Data
Prep)
Raw Data P3 data
HCE applet
Issuer
Mobile
Token Service
Provider
Secure Server
Internet
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
SE
Cloud Platform
Service Manager
Card Issuance System (Data
Prep)
Raw Data P3 data
Issuer
Mobile
Token Service
Provider
Secure Server
Mobile App Platform
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
Cloud Platform
Service Manager
MAP Card Issuance System (Data
Prep)
Raw Data P3 data
Issuer
Dual Interface
Card
Mobile
Token Service
Provider
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
SE
Cloud Platform
Service Manager
MAP Card Issuance System (Data
Prep)
Raw Data P3 data
HCE applet
Issuer
Dual Interface
Card
Mobile
Perso Machine
Token Service
Provider
Secure Server
• Plastic Cards
• Tokenized Plastic Cards
Card Issuance System (Data
Perso)
Internet
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Transaction Flow
Mobile Application
TMS
Issuer Authorization
System
SE
Service Manager
Perso Machine
HCE applet
Issuer
Dual Interface
Card
Mobile
POS
Transaction
update
Acquirer Payment Network In-store
purchases
POS
TSP
Cloud Paltform
TSM
MAP
Card Issuance System (Data
Prep)
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Transaction Flow
Mobile Application
TMS
Issuer Authorization
System
SE
Service Manager
Perso Machine
HCE applet
Issuer
Dual Interface
Card
Mobile
Transaction
update
Acquirer Payment Network
Remote Payment Gateway
In-app
purchases
TSP
Cloud Paltform
TSM
MAP
Card Issuance System (Data
Prep)
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Issuer / Bank
N Card
• Soft card
• SE-based card
Single wallet
In-app and
online payment
Voucher
redemption
One platform supports all form-factors and channels
In-store
payment
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Merchant: No Liability | No PCI-DSS | Higher Conversion
Merchant
TOKEN
No more Liability
• Card on File
Does not store real PAN
Only store Token (alternate PAN)
• Manual Entry
No need to enter Card info manually
Token will be used on entire ecosystem
• Transaction Security
EMV transaction instead on Magstripe
Highly secure – impossible to break
No more PCI-DSS
• Cost Saver
Does not need Certification Issuance / Renewal
Less administrative cost on Infrastructure
Higher Conversion
• User Experience
Secured and hassle free Shopping
Increase conversion rate
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
User
N Card
One PIN
Single wallet
Secure
transactions
Convenient voucher
redemption
Single click transaction
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
A journey with Kona Pay:
Joy of Smashing Challenges
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges - Development with the Spec Releases
Host Card Emulation is a relatively (in payment industry terms) recent idea. However the
major brands have rapidly endorsed and developed specifications to help vendors.
VCP-CS
o Compatible with EMV tokenization
spec
o Defined components of HCE eco-
system: for provisioning,
tokenization, verification, lifecycle
management etc.—with general
responsibilities
o Behavior guidance for application
in mobile. Compatible with VCPS
Q1 Q2 Q3 Q4
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Android 4.4
mobile OS
platform
with HCE
support
VCP-CS (VISA
Cloud-based
Payments -
Contactless
Specifications)
1.0
EMV
Payment
Tokenizatio
n
Specificatio
n 1.0
VCP-CS 1.1
VCP-CS 1.2
MasterCard
Cloud-Based
Payments
Specification
1.0
Draft AmEx
specification
s
Cartes
2014
2014
EMV Tokenization Specifications
o PAN, expiry date, cardholder name,
cryptographic keys to be tokenized
o Tokens have similar format to
original data
o Token ranges different from original
PAN ranges etc.
o Different business models—
digitized card in mobile, card-on-file
online etc.
MasterCard CBP
o Compatible with EMV
tokenization spec
o Defined components of
HCE eco-system—with
specific responsibilities
and actions
o Defined specific behavior
for application in mobile
in detail.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges - Development with the Spec Releases
• Had to adapt lots of changes within short time – Had to try different business models to fit in
• Hard Deadline to stay ahead of the market competitors
• We had to forecast different behaviors for MasterCard CBPS Specs – Sometimes it worked and sometimes it didn’t
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges We Faced
• Maintaining Effective Peer Code Review, under Serious Deadlines
• Automated Test Coverage
• Scrum Practice in Distributed Teams
• Testing while development – Mocking the dependency
– Implement the skeleton first from top to bottom.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges We Faced
• Effective Team Collaboration while doing, webservices – Dependency Analysis before planning a sprint is very vital
Image Source: http://wonderfulengineering.com
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
People behind Kona Pay
• Total Developers: 22
• Total QAs: 7
• Scrum Teams: 5
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Technologies Used for Kona Pay
Mobile App
• Host Card
Emulation
• Smart Card Service
• PKI middleware
• White Box
Cryptography
• ActiveAndroid
• Dagger
• ButterKnife
• Retrofit
• Eventbus
Web Applicaton
• Spring Framework
• Spring MVC
• Spring Integration
• JPA
• Hibernate
• Jboss AS
Other Tools
• RabbitMQ (MQTT)
• HornetQ
• Memcached
• Infinspan
• OpenSSO
• ElasticSearch-
Logstash-Kibana
Database
• Oracle
• MySql
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Technologies Used for Kona Pay
Testing
• Jbehave
• Gatling
• Jmeter
• Collis
Environment
• Eclipse
• Gradle
• Jrebel
• Git
• Jenkins
Review & Issue
Tracking
• reviewboard
• Redmine
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay into the Wild:
From Korea to The World
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay was Unveiled in South Korea for Korean Market
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay in Outside Korea
• Kona Pay is unveiled in Money20/20 2015 for US Market
• Kona Pay will be unveiled in Cartes-2015 for Europe Market