smart card to the cloud for convenient, secured nfc payment
TRANSCRIPT
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Smart Card to the Cloud for Convenient, Secured
NFC PaymentKONA I
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Who We Are?
Sazzadur RahamanSoftware Engineer and Team Lead @ KONA SL
Image Source: http://the9gag.com/top-rated/4am-programmer-room-4440
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Who We Are?
Md. Sanoar Hossain KhanSenior Software Engineer and Development Project Manager@ KONA SL
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Outline
Payment Systems in Action: A Bird’s Eye View Moving Smart Cards to the Cloud: The Era of HCE Birth of Kona Pay: A New Payment Platform in Town A journey with Kona Pay: Joy of Smashing Challenges Kona Pay into the Wild: From Korea to USA Q/A
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Payment Systems in Action: A Bird’s Eye View
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview – Transaction Flow
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile Phone1
3
2
4
5
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile PhoneOut o
f the Sco
pe
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
acquirer
Payment System Overview
Payment Network Issuer
E Commerce POS
Merchant
Card Holder
Plastic Card
Mobile PhoneOut o
f the Sco
pe
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Smart card
Magnetic Cards vs Smart Cards
Smart card components
Secure IC Chip(SE)
Contactless Smart card
Secure IC Chip(SE)
Magnetic Stripe Card
Open magnetic stripe
Service
appletUser data
NFC radio
User data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Standard NFC Cards and Mobile-based Card
Same components in different form factor
Smart card
IC Chip(SE)
Service
appletUser data
SE
NFC
• SE Provider providing SEs (generally MNOs)
• Service Provider providing Services to the consumers (generally Banks)
SWP
End-User mobile
handset
Convenient than the other form factors
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Need for Trusted Service Manager
oManages Secure ElementoArranges data exchange and
business relationships among stakeholders
oGenerates Security Domains (SDs). Manages Keys used in generating SDs. Service Providers can safely and independently manage their services.
oMakes service provisioning simpler. Therefore achieves services activation in a short period of timeTrusted
Service Manager
SE Provider
1SP 1
SE Provider
2
SE Provider
3
SP 2
SP 3
Service applet
User data
Service applet
User data
Service applet
User data
Still the ecosystem is more complex than previous
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Moving Smart Cards to the Cloud: The Era of HCE
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
SE-less mobile card: Host Card Emulation
Concept of Host Card Emulation
Transaction processing before HCE
Additional Option with HCE
With Google Android 4.4 and above, the NFC controller communicates with host OS first, allowing it choose where to request applet and user data, and bypass the SE if required.
Service
appletUser data
Secure Element
Local storage
Internet
?
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Security via Tokenization
Issuer (Bank)
Token ServerUser’s PAN, expiry date etc.
Token
Token Vault
Token Generator User
mobile
1. Static Parameters2. Dynamic Parameters
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Security via Tokenization
Token’s use during transactions
Issuer (Bank)
Token Server
User mobile
User’s PAN, expiry date etc.
Token
Token Vault
Token Adapter
During a contactless payment transaction they travel through the POS to the Issuer system. The Issuer sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid, authorizes the transaction.
POS
Acquirer bank
Authorization6
1
2 3
45
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Different flavors (models) of HCE
Mobile Device
Mobile OS
HCE APIs
Service applet (agent)
NFC Controller
User data
Model—1 • Applet in Cloud• User data and keys in Cloud
Model—2 • Applet in OS• User data and keys in OS
Model—3 • Applet in OS• User data in Cloud
Model—4• Applet in OS• User data in Cloud• Token downloaded to OS
Model—5 (SE-biased)• Applet in OS• User data in SE
Mobile Device
Mobile OS
HCE APIs
Service applet (agent)
NFC Controller
User data
Mobile Device
Mobile OS
HCE APIs
Service applet (agent)
NFC Controller
Mobile Device
Mobile OS
HCE APIs
Service applet (agent)
NFC Controller
Token
Mobile Device
Mobile OS
HCE APIs
Service applet (agent)
NFC Controller
SEUser
data
User
data
User data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Birth of Kona Pay: A New Payment Platform in Town
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Issuer / Bank
In-store payment using plastic card
Online payment
Plastic card issuance
Tokenization
Mobile Card Issuance
In-store payment using Mobile card
In-App Payment
Multiple business and technical arrangements
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Merchant: Online Fraud – Liability Shift
Fraud & Liability• Potential Data Breech
Phishing, Key logging, etc. Hacking Card on File (CoF) Transaction data modification or
interception
• Key Liability towards Merchant Need to secure e-Store, CoF and
Transaction
Online Shopping• Manually enter Card info
User inconvenient
• Store Card info in online account Merchant need to support Card on File
(CoF)
• Online Transaction Mag-stripe transaction
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
User
• Lots of Credit Card, ID Card, Coupons, etc…
• Different credit card, different PIN.
• Input credit card information manually
• Trust Merchants with Credit Card Info
• Insecure online transactions.
• Multiple vouchers, coupons, gift cards, etc.
• Need to carry those around physically.
• Longer card delivery time.
• Card cloning.• Constantly check for
suspicious transactions, notify the bank.
• Hassle to block the card and get a new one, also the reimbursement of the money from bank.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Converging Factors
Single Payment Platform
ALLForm Factors
ALLProvisioning Modes
ALLPayment Modes
ALLSecurity Measures
Plastic contact card Plastic contactless
card N Card SE (UICC, mSD, eSE) Host card emulation
Central mass perso Instant perso SE/HCE OTI or OTA SE/HCE (post) issuance
OTI/OTA
In-store: plastic cards In-store: SE/HCE
mobile In-app: SE/HCE
mobile In-app/remote: plastic
contactless using NFC
EMV Tokenized plastic
card Whitebox crypto,
LDE PKI FIDO, TEE (in roadmap)
* N Card is dual interface plastic card, supports both contact and contactless, can store multiple credit cards, gift/loyalty/coupons, transport card, etc., can be (post) personalized using mobile wallet and used to make in-store as well as in-app transaction using NFC between the card and mobile.
** Tokenized plastic card does not store the original PAN inside, rather an alternate PAN which generates cryptogram for the issuer to verify.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Converging Factors
Single Wallet
N Card SE (UICC, mSD, eSE) Remote Payment HCE
• N Card is dual interface plastic card• Supports both contact and contactless • Can store multiple credit cards, gift/loyalty/coupons, transport
card, etc., • Post personalized using mobile wallet • Supports in-store and in-app transaction using NFC between
the card and mobile.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Payment Network
Acquirer
User
POSRemote Payment
Gateway
Mobile Application
TSM
Mobile Application Platform Cloud Platform
Voucher Issuance System Card Issuance System
Token Service Provider
Transaction Management System
Issuer CMS
Card
Components of Kona Pay
Service Manager
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Issuer Authorization
System
Service Manager
Card Issuance System (Data
Prep)
Raw Data
Issuer
Perso Machine
• Plastic Cards
Card Issuance System (Data
Perso)
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Issuer Authorization
System
Service Manager
Card Issuance System (Data
Prep)
Raw Data
Issuer
Perso Machine
Token Service Provider
Secure Server
Tokenized Plastic Cards
Card Issuance System (Data
Perso)
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
Issuer Authorization
System
Cloud Platform
Service Manager
MAPCard Issuance System (Data
Prep)
Raw DataP3 data
HCE applet
Issuer
Mobile
Token Service Provider
Secure Server
Internet
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
SE
Cloud Platform
Service Manager
Card Issuance System (Data
Prep)
Raw DataP3 data
Issuer
Mobile
Token Service Provider
Secure Server
Mobile App Platform
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
Cloud Platform
Service Manager
MAP Card Issuance System (Data
Prep)
Raw DataP3 data
Issuer
Dual Interface Card
Mobile
Token Service Provider
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Personalization Flow
Mobile Application
TSM
Issuer Authorization
System
SE
Cloud Platform
Service Manager
MAPCard Issuance System (Data
Prep)
Raw DataP3 data
HCE applet
Issuer
Dual Interface Card
Mobile
Perso Machine
Token Service Provider
Secure Server
• Plastic Cards • Tokenized Plastic Cards
Card Issuance System (Data
Perso)
Internet
P3 data
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Transaction Flow
Mobile Application
TMS
Issuer Authorization
System
SE
Service Manager Perso Machine
HCE applet
Issuer
Dual Interface Card
Mobile
POS
Transactionupdate
Acquirer Payment NetworkIn-store
purchases
POS
TSP
Cloud Paltform
TSM
MAP
Card Issuance System (Data
Prep)
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Transaction Flow
Mobile Application
TMS
Issuer Authorization
System
SE
Service Manager Perso Machine
HCE applet
Issuer
Dual Interface Card
Mobile
Transactionupdate
Acquirer Payment Network
Remote Payment Gateway
In-app purchases
TSP
Cloud Paltform
TSM
MAP
Card Issuance System (Data
Prep)
Secure Server
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Issuer / Bank
N Card• Soft card• SE-based
card
Single wallet
In-app and online payment
Voucher redemption
One platform supports all form-factors and channels
In-store payment
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Merchant: No Liability | No PCI-DSS | Higher Conversion
Merchant
TOKEN
NO NEED
No more Liability• Card on File
Does not store real PAN Only store Token (alternate PAN)
• Manual Entry No need to enter Card info
manually Token will be used on entire
ecosystem
• Transaction Security EMV transaction instead on
Magstripe Highly secure – impossible to break
No more PCI-DSS• Cost Saver
Does not need Certification Issuance / Renewal
Less administrative cost on Infrastructure
Higher Conversion
• User Experience Secured and hassle free Shopping Increase conversion rate
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
User
N Card
One PIN
Single wallet
Secure transactions
Convenient voucher redemption
Single click transaction
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
A journey with Kona Pay: Joy of Smashing Challenges
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges - Development with the Spec ReleasesHost Card Emulation is a relatively (in payment industry terms) recent idea. However the major brands have rapidly endorsed and developed specifications to help vendors.
VCP-CSo Compatible with EMV
tokenization speco Defined components of HCE eco-
system: for provisioning, tokenization, verification, lifecycle management etc.—with general responsibilities
o Behavior guidance for application in mobile. Compatible with VCPS
Q1 Q2 Q3 Q4
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Android 4.4 mobile OS platform with HCE support
VCP-CS (VISA Cloud-based Payments - Contactless Specifications) 1.0
EMV Payment Tokenization Specification 1.0
VCP-CS 1.1
VCP-CS 1.2
MasterCard Cloud-Based Payments Specification 1.0
Draft AmEx specifications
Cartes
2014
2014
EMV Tokenization Specificationso PAN, expiry date, cardholder
name, cryptographic keys to be tokenized
o Tokens have similar format to original data
o Token ranges different from original PAN ranges etc.
o Different business models—digitized card in mobile, card-on-file online etc.
MasterCard CBPo Compatible with EMV
tokenization speco Defined components of
HCE eco-system—with specific responsibilities and actions
o Defined specific behavior for application in mobile in detail.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges - Development with the Spec Releases
• Had to adapt lots of changes within short time– Had to try different business models to fit in
• Hard Deadline to stay ahead of the market competitors
• We had to forecast different behaviors for MasterCard CBPS Specs– Sometimes it worked and sometimes it didn’t
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges We Faced
• Maintaining Effective Peer Code Review, under Serious Deadlines• Automated Test Coverage• Scrum Practice in Distributed Teams• Testing while development
– Mocking the dependency– Implement the skeleton first from top to bottom.
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Challenges We Faced
• Effective Team Collaboration while doing, webservices – Dependency Analysis before planning a sprint is very vital
Image Source: http://wonderfulengineering.com
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
People behind Kona Pay
• Total Developers: 22• Total QAs: 7• Scrum Teams: 5
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Scrum Meeting
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Lessons to make scrum successful
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Technologies Used for Kona Pay
Mobile App•Host Card Emulation•Smart Card Service•PKI middleware•White Box Cryptography•ActiveAndroid•Dagger•ButterKnife•Retrofit•Eventbus
Web Applicaton
•Spring Framework•Spring MVC•Spring Integration•JPA•Hibernate•Jboss AS
Other Tools
•RabbitMQ (MQTT)•HornetQ•Memcached•Infinspan•OpenSSO•ElasticSearch-Logstash-Kibana
Database
•Oracle•MySql
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Technologies Used for Kona Pay
Testing•Jbehave•Gatling•Jmeter•Collis
Environment
•Eclipse•Gradle•Jrebel•Git•Jenkins
Review & Issue Tracking
•reviewboard•Redmine
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay into the Wild: From Korea to The World
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay was Unveiled in South Korea for Korean Market
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Kona Pay in Outside Korea
• Kona Pay is unveiled in Money20/20 2015 for US Market
• Kona Pay will be unveiled in Cartes-2015 for Europe Market
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Q/A
Copyright © 2015 Kona Software Lab Ltd. All Rights Reserved.
Thanks