Click here to close now.

Welcome!

SOA & WOA Authors: Leo Reiter, Carmen Gonzalez, AppDynamics Blog, Roger Strukhoff, Sean Dwyer

Related Topics: Wireless, SOA & WOA, Web 2.0, iPhone, Security

Wireless: Article

Securing Mobile Payments

As the mobile payment industry continues to develop at lightning speed, best practices have yet to be solidified

As mobile phones become as indispensable as credit cards for purchasing goods and services, mobile payment developments are quickly gaining pace. Many different service providers are competing for their piece of the action. Within the last year, we have witnessed the arrival of mobile payment solutions such as MasterCard's PayPass, Google's Android-based eWallet scheme and Starbucks' emerging Quick Tap PayPass service.

A study from Juniper Research predicts that mobile contactless payment transactions are to reach nearly $50 billion worldwide in 2014 and NFC solutions will be used in 20 countries within the next 18 months.

However, with the widespread adoption of this technology, there is a need to debate which type of scheme works best and is the most robust.

Setting the Standard
As with traditional payments, standardization is vital. Several effective standards are already gaining momentum in delivering a secure mobile payments ecosystem:

  • Organizing Mobile NFC Services - The Trusted Service Manager (TSM) acts as an intermediary between Mobile Network Operators (MNOs) and third-party service providers that wish to offer additional services to subscribers. GlobalPlatform's ‘System Messaging Specification for Management of Mobile-NFC Services' defines the messaging between each of the three parties to guarantee secure ‘provisioning' of services to the device.
  • The SIM Alliance Open Mobile API - Applications utilizing the Secure Element (the cryptographically secured piece of hardware on newer mobile devices) to secure their critical operations, such as payments, banking or transport tickets, can have a component running within the device's operating system that ensures the user can securely interact with the keyboard/touch screen while enjoying a rich graphical user experience. The SIM Alliance Open Mobile API allows application developers to utilize additional security of the Secure Element more easily, be this in a UICC SIM, a dedicated Secure Element built into the device or a secure SD card, by providing a common means of interfacing with it.
  • Trusted Execution Environment (TEE) - The Secure Element cannot easily host apps with a highly developed or cutting edge user interface, but can look after critical data on the mobile handset. Applications that require complex user interactions must run on the device's primary processor. The TEE secures these apps; GlobalPlatform is leading the standardization and interoperability in this area to ensure that software and data are sufficiently protected. For example, payment apps that run their user interface in TEE and their transaction security in the Secure Element would have a particularly high level of security.

Such standards encourage the industry to work together and benchmark best practices, but they remain as fundamental elements of successful mobile payment security. It is also required that technology that makes the security of provisioning mobile payment applications is as safe as issuing cards, and designing the necessary infrastructure requires much needed consumer confidence.

Security Issues Prompt Consumer Fear
Consumer's perceived fear surrounding new mobile payments technology often looms around security. The lack in consumer confidence originates from the threat of information being intercepted during a transaction. Yet risks are prominent at every stage of the mobile payment life cycle, including how payment applications get onto a phone securely in the first place. Constructing the data needed to issue a payment application and generate the secure messages to personalize a handset can be a lengthy and inefficient process, and the various cryptographic functions pose the possibility that sensitive data is at risk of exposure.

This initial set-up process or ‘provisioning' usually takes place over-the-air (OTA). The process increases security risks due to the various parties involved - typically the payment application provider (usually a bank), a Trusted Service Manager, the Mobile Network Operator and the end user. A vital success factor is maintaining security throughout this procedure, ensuring that no data is compromised. Successful provisioning utilizes unique personalization keys to not only encrypt the loading of data onto a device, but also the succeeding transactions performed by the application.

Mobile Payment Security as Secure as Traditional Payment Cards
By implementing the newest cryptography methods, users can ensure that ‘provisioning' occurs securely with the same level of protection provided by traditional payment cards. Providers of physical cards tend to favor Hardware Security Modules (HSMs), which generate and secure the encryption keys crucial to managing issuance risk. This method is also relevant for provisioning services to a mobile phone and can significantly reduce the complexities associated with the process while simultaneously avoiding the weakness of keys stored in software. The primary benefit of an HSM is to secure encryption keys and sensitive data in a way that safeguards such data from exposure. With this method, service providers reduce risk.

While encryption is crucial to the security of mobile payments, it isn't the only answer. For a more comprehensive approach to optimize security, encryption and authentication must be combined to provide protection for data exchanges and authorizations.

Reducing Risk
As the mobile payment industry continues to develop at lightning speed, best practices have yet to be solidified. Operators and related parties are still unsure about who ultimately controls the mobile wallet. But one thing that is for sure is that security remains the primary hurdle most consumers can't get over.

Extinguishing this concern is no easy task; it requires a mixture of robust standards and best practices, accompanied with the right technical path to ensure the experience is safe from the second that a user opts to download a payment app. If businesses want to take advantage of the mobile payments, security needs to be at the forefront of their approach to mitigating risk and encourage comprehensive consumer adoption.

More Stories By Ian Hermon

Ian Hermon is Product Marketing Manager at Thales e-Security. He has more than 15 years’ experience in the payment industry, being responsible for the Thales portfolio of payment and transaction security products. He represents Thales on both the MasterCard Global Vendor Forum and Visa Europe Vendor Forum, is a member of the Smart Card Alliance Payments Council and the Smartex Smart Payments Forum Steering Committee. Ian also represents Thales as a participating organization on the PCI Security Standards Committee and is an EMV subscriber.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.
HP and Aruba Networks on Monday announced a definitive agreement for HP to acquire Aruba, a provider of next-generation network access solutions for the mobile enterprise, for $24.67 per share in cash. The equity value of the transaction is approximately $3.0 billion, and net of cash and debt approximately $2.7 billion. Both companies' boards of directors have approved the deal. "Enterprises are facing a mobile-first world and are looking for solutions that help them transition legacy investments to the new style of IT," said Meg Whitman, Chairman, President and Chief Executive Officer of HP...
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Open Data Centers (ODC), a carrier-neutral colocation provider, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Open Data Centers is a carrier-neutral data center operator in New Jersey and New York City offering alternative connectivity options for carriers, service providers and enterprise customers.
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
PubNub on Monday has announced that it is partnering with IBM to bring its sophisticated real-time data streaming and messaging capabilities to Bluemix, IBM’s cloud development platform. “Today’s app and connected devices require an always-on connection, but building a secure, scalable solution from the ground up is time consuming, resource intensive, and error-prone,” said Todd Greene, CEO of PubNub. “PubNub enables web, mobile and IoT developers building apps on IBM Bluemix to quickly add scalable realtime functionality with minimal effort and cost.”
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
With several hundred implementations of IoT-enabled solutions in the past 12 months alone, this session will focus on experience over the art of the possible. Many can only imagine the most advanced telematics platform ever deployed, supporting millions of customers, producing tens of thousands events or GBs per trip, and hundreds of TBs per month. With the ability to support a billion sensor events per second, over 30PB of warm data for analytics, and hundreds of PBs for an data analytics archive, in his session at @ThingsExpo, Jim Kaskade, Vice President and General Manager, Big Data & Ana...
In the consumer IoT, everything is new, and the IT world of bits and bytes holds sway. But industrial and commercial realms encompass operational technology (OT) that has been around for 25 or 50 years. This grittier, pre-IP, more hands-on world has much to gain from Industrial IoT (IIoT) applications and principles. But adding sensors and wireless connectivity won’t work in environments that demand unwavering reliability and performance. In his session at @ThingsExpo, Ron Sege, CEO of Echelon, will discuss how as enterprise IT embraces other IoT-related technology trends, enterprises with i...
When it comes to the Internet of Things, hooking up will get you only so far. If you want customers to commit, you need to go beyond simply connecting products. You need to use the devices themselves to transform how you engage with every customer and how you manage the entire product lifecycle. In his session at @ThingsExpo, Sean Lorenz, Technical Product Manager for Xively at LogMeIn, will show how “product relationship management” can help you leverage your connected devices and the data they generate about customer usage and product performance to deliver extremely compelling and reliabl...
The Internet of Things (IoT) is causing data centers to become radically decentralized and atomized within a new paradigm known as “fog computing.” To support IoT applications, such as connected cars and smart grids, data centers' core functions will be decentralized out to the network's edges and endpoints (aka “fogs”). As this trend takes hold, Big Data analytics platforms will focus on high-volume log analysis (aka “logs”) and rely heavily on cognitive-computing algorithms (aka “cogs”) to make sense of it all.
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understanding the kinds of data: structured, unstructured, big/small? Analytics: What kinds and how responsiv...
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use cases.
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.