cloud payments (hce): a simpler step with thales hsms

www.thales-esecurity.com OPEN

Cloud Payments (HCE): a simpler step with Thales HSMsSIMON KEATES CISSP

2This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Largely unregulated and unqualified

4 years ago…

3This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Situation Today

Highly Regulated Even more growth!

4This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Situation Today

Highly Regulated Even more growth!

5This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Situation Today

Highly Regulated Even more growth!

6This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Situation Today

Highly Regulated Even more growth!

7This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Situation Today

Highly Regulated Even more growth!

8This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

A quick poll

Do you have a smartphone?

Have you bought something using your smartphone? (Not necessarily in a store, e.g., Amazon, Dominos, Uber, etc.)Have you used your phone in a store to buy something?

9This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Voting results

10This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

But change is coming!

11This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

The growth of contactless acceptance/distribution

http://finextra.com/news/fullstory.aspx?newsitemid=27119 http://www.nfcworld.com/2014/09/10/331470/mastercard-issues-european-contactless-pos-mandate/

https://tfl.gov.uk/info-for/media/press-releases/2014/september/more-than-128-000-contactless-payments-made

12This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

The growth of contactless acceptance/distribution

http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/

13This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

The growth of contactless acceptance/distribution

http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/

14This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

▌ Simplifying the user experience

Simple process to enrol cardsAutomatic wallet start-upOne Touch fingerprint confirmation

▌ Enhancing the securityEmbedded secure elementTokenization of credentialsNo card information shared with merchants

▌ Partnering rather than disrupting

Using existing payment card railsUsing established standard technology – EMV, NFCLeveraging card schemes expertise and business models

Apple Pay Launched in October 2014

15This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Google introduces support for HCE November 2013

https://developer.android.com/guide/topics/connectivity/nfc/hce.html

16This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Schemes Introduce Support for HCE

17This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Schemes Introduce Support for HCE

230 PAGES 876 PAGES

18This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

What is Host Card Emulation (HCE)

▌Does not require the use of Secure Element (SE) on mobile device

Mobile application haspayment credentials

- Only essential payment datais on the device, rest is in the ‘cloud’

Major card schemes have their own proprietary specifications forsupport of HCE implementations

▌Increased risk is mitigatedthrough use of:

Dynamic keysTokenization of PANHSMs in back officeMobile app security layers

19This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

The Banks’ opportunity to take control

▌An alternative to the Secure Element (SE) TSM Model

▌Manage your master keys

▌Control critical assets

▌Look how HCE puts you back in control …

20This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

SE Card Emulation

SP TSM Issuer Host

Mobile Network Operator

MNO TSM

Consumer

Mobile App SE

Issuing Bank

Merchant

Contactless POS Terminal

Payment Network

SE Card Emulation

21This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Host Card Emulation (HCE)

Issuer Host

Mobile Network Operator

Consumer

Mobile App

Issuing Bank

Merchant

Contactless POS Terminal

Payment Network

Host Card Emulation (HCE)

22This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

New Challenges | New Solutions

Securing the registration process

Risk Analysis

Delivering credentials securely to the phone

Managing the key and credential lifecycle

Tokenisation

23This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Layered security to reduce your risk

▌Key securityNew issuer master keys dedicated to HCE transactionsNew ‘digital card’ keys dedicated to HCE transactionsSession/single use keys to minimize risk and prevent replay attacks

▌Alternative PAN or token approachIsolate HCE from other payment channelsDevalue ‘PAN’ if stolen from phoneSeamless integration of issuer-side tokenization where needed

▌Secure communications with mobile phoneHSM acts as an endpoint for key exchange with mobile phoneAll critical keys and data supplied to phone in encrypted format

24This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Thales Hardware Security Modules

▌Hardware Security ModulesTamper resistant, certified securitySecure cryptographic operationsHigh assurance key management

nShieldMulti-purpose HSM family

payShieldPayments HSM family

25This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Host Card Emulation with Thales HSMs

Manage session keysManage apps

Provision device

Device Provisioning

Manage master & card keysManage customer accounts

Manage PINs/passcodes

Account Management

Derive session keysFraud management

Payment authorization

Transaction Processing

Internet

Merchant POS Acquirer Card

Network

Issuer Back Office Systems

HSM HSM HSM

HSM HSM

Web Server

26This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Thales support

▌Working with the card schemes, to provide supportpayShield 9000 Pre release 1401-0901 November 2014:

- Visa Cloud Payments : Complete November 2014 (1401-0901)

payShield 9000 Pre release 1401-0903 February 2015- 1st Draft MasterCard Cloud Based Payments

payShield 9000 Pre release 1401-0911 December 2015- Full MCBP Support- American Express Expresspay - 1st Draft Discover

payShield 9000 Major Release 3.0 available now- Including all functionality above- Coming soon: Union Pay, Verve, Diners

Support for other card brands to follow

27This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Tinkoff Bank!

28This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

D8 & MTBank

29This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Thales, ready to go when you are

▌HSM functionality available off-the-shelfVisa, MasterCard and American Express variants supportedDedicated payShield 9000 functions – no additional development neededUpdate to PCI HSM certification in progress

▌Proven integration with leading HCE solutionsMajor solution providers have pre-integrated with payShield 9000Low risk, plenty of choice, superior support

▌Comprehensive consultancy, training and supportWe understand the cryptography necessary to support HCEWe can help your team get up to speed quickly with the overall system24 x 7 support is what we can offer you

30This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

Why Thales e-Security?

Banking Government Utilities High Tech Mobile

Automotive

Healthcare

Manufacturing

▌ Our track record. Over 40 years of leadership delivering data protection solutions around the world

▌ Our customers. We secure some of the world’s most valuable information and > 80% of payment transactions

▌ Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography

▌ Our certifications. All our offerings are independently security certified - more than anyone else!

▌ Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance

31This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales  -  © Thales  2014 All rights reserved.

OPEN

HCE – your opportunity to take control of mobile payments

▌Terminals, schemes, customers and mobiles are ready for HCE

▌Working with Thales will make implementation quicker and secure

▌Thales is committed to securing HCE solutions ▌Download the whitepaper:

https://bit.ly/1ZYz5mn

▌Contact us via the websitehttps://www.thales-esecurity.com

▌Or contact me:simon.keates@thales-esecurity.com @simonkeates