Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

Visa and Mastercard Forecast More Growth in Contactless in U.S., Spurred in Part by New York Fare Payments Service

NFC TIMES Exclusive Insight - The heads of the two largest payments networks in the U.S., Visa and Mastercard, predict strong growth for contactless payments in the U.S., with Mastercard CEO Ajay Banga noting that 70% of U.S. Mastercard-branded cards in the U.S. are coming up for reissue over the next 12 to 14 months, and most of these cards will be issued with a contactless interface. A large number of Visa-branded cards will be reissued with a contactless interface during that period, as well.

Transport Officials in Sydney See Growing Demand for Contactless Fare Payments but Have No Plans to Retire Closed-Loop Opal

NFC TIMES Exclusive Insight – Transport officials in Australia have released figures on use of contactless payments in Sydney and New South Wales, showing that customers tap their contactless credit and debit cards and NFC devices for an average of 1.5 million transactions per week, accounting for a relatively small but respectable number of transactions.

Insight: Moovit and Cubic Betting that MaaS Can Help U.S. Transit Agencies Regain Lost Ridership

Jan 24 2020

NFC TIMES Exclusive Insight – With public transit ridership decreasing in most large U.S. cities over the past five years, transit authorities are more open to becoming part of Mobility-as-a-Service platforms, which could potentially increase ridership for their rail and bus networks while offering customers options for the first and last mile. 

Philadelphia Transit Authority Confirms Plans for Launch of Open-Loop Payments after Delays

NFC TIMES Exclusive Insight – The Southeastern Pennsylvania Transportation Authority, or SEPTA, in Philadelphia plans to introduce open-loop payments of fares, with a pilot scheduled for around June, a spokesman confirmed to NFC Times. It makes SEPTA part of a small but growing number of U.S. transit agencies that are accepting payments of fares from contactless bank cards and NFC wallets or are planning to do so.

Contactless Payments of Fares Gets Slow Start in Miami, According to Figures

NFC TIMES Exclusive – Take-up of open-loop contactless payment of fares in Miami-Dade County, Fla., has been slow so far, more than four months after transit

Mobility as a Service Continues to Get Rolling with Uber Expanding Service to Second U.S. City

NFC TIMES Exclusive Insight – Mobility as a service is expected to reshape the traditional transport industry, and while it is just getting rolling, the pace is starting to pick up. The latest bit of momentum came this week when global ride-hailing service Uber announced it will enable mass transit riders to buy and redeem tickets from its app in a second U.S. city, Las Vegas.

Contactless EMV Card Rollout in U.S. to Pick Up Speed in 2020, but Shape of Adoption Remains Unclear

NFC TIMES Exclusive Insight – With contactless EMV cards expected to have a significant footprint in the U.S. in 2020, the debate continues over whether the rollout will promote or harm take-up of NFC mobile payments and whether contactless open-loop transit payments will make a real impact on use of contactless at the retail point of sale.

More Open-Loop Transit Payments Services to Launch in Taiwan

Dec 24 2019

NFC TIMES Exclusive Insight – Taiwan’s airport train service will begin accepting Visa- and Mastercard-branded credit cards starting next month, making it the second mass-transit service on the island nation to support open-loop payments for fares.

In-Depth: China Moving Forward On Face Payments of Transit Fares, Despite Some Hesitation by Users of Technology

NFC TIMES Exclusive Insight –  More and more Chinese cities are trialing use of facial recognition technology for transit ticketing, a development that could enable users to avoid either cards or smartphones to pay fares on subways and other modes of transit.

Apple Launches Express Transit in London; Mobility Service also Adds NFC Payments Feature in Apple Wallet

NFC TIMES Exclusive Insight – Apple has expanded its Express Transit service to another major market, enabling Apple Pay users to pay for fares on Transport for London-run trains and buses without first authenticating themselves on the NFC devices.

Analysis: Outlook Remains Dim for Bank Mobile Wallets as Another Major Bank Plans to Shut Down its Wallet App

NFC TIMES Exclusive Insight – Major Dutch bank ABN Amro will discontinue its NFC-enabled mobile wallet in January, a little more than three years after launching the app in late 2016, with the bank acknowledging that few customers use the service.

Use of Contactless EMV to Pay Transit Fares Accelerating, According to Two Agencies That Launched Service This Year

NFC TIMES Exclusive Insight – Two transit agencies, one large and one small, that began accepting contactless bank cards and NFC wallets to pay fares in recent months are reporting that use of the new payments services is accelerating among their customers.