Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

With E-Commerce Skyrocketing, Tokenized Transactions Expected to Soar, as Well

NFC TIMES Exclusive Insight – As more consumers buy online, and to a lesser extent use mobile wallets for in-store purchases, because of the coronavirus pandemic, tokenized card transactions are expected to increase dramatically.  

Software-as-Service Platforms for Transit Agencies Begin to Support Open-Loop Payments

NFC TIMES Exclusive Insight – In what is believed to be a first, a transit agency in Europe plans to accept contactless credit and debit cards using a third-party software-as-a-service platform this summer, UK-based platform provider Masabi told NFC Times, although the company declined to name the agency. The project is expected to begin as a pilot.

Apple Launches Overdue Octopus Payments Service in Hong Kong, as It Continues to Seek More Transit Applications for Wallet

NFC TIMES Exclusive Insight – Apple today finally launched its Octopus transit payments service in Hong Kong on Apple Pay, nearly a year after the service was originally announced and more than two years after rival Samsung introduced a similar service in the market.

Mastercard: Contactless Payments in Europe Approach 80% of Card Transactions; Pandemic Causes More Consumers to Shun Cash

NFC TIMES Exclusive Insight – While contactless payments in Europe were already commonplace and continue to grow, the Covid-19 pandemic has created even more interest in the technology among consumers, according to a report released Thursday by Mastercard. The report includes a survey showing that consumers in eight major European markets say they use NFC-enabled smartphones and wearables for a combined 32% of all contactless transactions, a spokeswoman confirmed to NFC Times.

UPDATED: Ohio-Based Transit Agency Group Planning to Enable Mobile Ticketing Through Uber App

Jun 3 2020

NFC TIMES Exclusive – A consortium of 13 small and mid-tier transit agencies in Ohio and Northern Kentucky plans to enable customers to buy public transit tickets directly in the Uber app as early as this summer, following two other U.S. transit agencies, in Denver and Las Vegas, which have already integrated with Uber.

Samsung Details Planned Mobile-Money Service as It Seeks to Keep Pace with Rival Apple Pay

NFC TIMES Exclusive Insight – Samsung offered more details today about its Samsung Money debit card and “mobile-first” money management service for its Samsung Pay app, which it plans to launch in the U.S. this summer with personal finance fintech SoFi. Samsung had disclosed plans for the new service earlier this month.

Networks: Contactless Transactions Soar as Pandemic Takes Toll on Cash

NFC TIMES Exclusive Insight – In announcing their respective quarterly results this week, both Visa and Mastercard, as expected, discussed the major disruption that Covid-19 is wreaking on the payments business. But they also noted that there is one unexpected victim of the pandemic: cash.

Prompted by Pandemic Fears, Last of Australia’s Big Four Banks Ends Apple Pay Holdout

May 12 2020

NFC TIMES Exclusive Insight – Citing the increased demand for cashless payments because of the Covid-19 pandemic, Westpac today became the last of Australia’s big four banks to adopt Apple Pay, ending a four-year holdout that had lasted months, even years longer than its major rivals.

Insight: MaaS Backers Believe New Mobility Platforms Could Help Transit Providers Win Back Their Customers’ Trust

NFC TIMES Exclusive Insight – With Covid-19 lockdowns causing mass transit ridership in many cities to virtually fall off a cliff–with such cities as London, New York and San Francisco reporting drops of more than 90%–transport providers worry that some riders may not come back, even after the pandemic ends.

In-Depth: Government Regulation of Mobility-as-a-Service Seen as Necessary to Encourage Widespread Adoption

Apr 16 2020

NFC TIMES Exclusive Insight – Government legislation will likely be needed for widespread adoption of Mobility-as-a-Service, or MaaS, to occur, according to UK-based Juniper Research, which believes that the regulations will be necessary to force MaaS providers, including transit service providers, to work together, as well as to persuade users to get out of their cars to cut carbon emissions.

Apple Pay Expands Support for Interoperable Closed-Loop Transit Cards in China, Though Not First NFC Pays Wallet to Do So

NFC TIMES Exclusive Insight – Apple on Wednesday expanded support for closed-loop transit payments across China, incorporating China’s T-Union interoperable transit cards in its Apple Pay service.

Insight: Virus Adds Urgency to Increasing Contactless Limits but Won’t Necessarily Drive Growth in Acceptance

NFC TIMES Exclusive Insight – While the Covid-19 virus outbreak is building awareness for contactless and NFC payments and is accelerating the increase in already low contactless transaction limits in Europe, it remains to be seen how much it will convince more merchants to accept contactless in the U.S.