Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

In-Depth: In-Car Payments Gears Up but Takes Time to Get Rolling

NFC TIMES Exclusive Insight – Car manufacturers, payments networks and platform providers continue to make deals as they gear up for the much-anticipated arrival of in-car payments–which would enable motorists to buy gasoline, pay for parking and purchase food for takeout, all from their dashboards.

Golden Globes Trophies Get Provisioned Like Payments Wearables to Ensure Authenticity

NFC TIMES Exclusive – The 76th Annual Golden Globes held Sunday featured the usual share of Hollywood celebrities preening for the cameras, showing off their new designer gowns and latest nips and tucks, while holding their trophies high if they won.

Japanese Megabank Mizuho Plans to Launch New Digital Currency Soon for Mobile Payments Service

NFC TIMES Exclusive Insight – Japanese megabank Mizuho will reportedly move forward with its planned launch of a new digital currency to enable QR code-based mobile payments in stores and for funds transfers–with plans to cut the fees merchants will pay to accept the new payments scheme, as compared with credit cards.

More QR Code Payments Services Planned for Japan, Home of Original Contactless-Mobile Rollouts

NFC TIMES Exclusive Insight – Japan, the first market globally to adopt contactless-mobile payments, in 2004, with a technology similar to NFC, will see its two largest convenience store chains introduce their own mobile payments services this year–both using bar codes or QR codes instead of NFC.

Analysis: Commonwealth Bank’s Agreement to Support Apple Pay Could Mark Turning Point for Apple’s Bank Recruitment Efforts

NFC TIMES Exclusive Insight – With its capitulation last week to Apple and agreement to participate in the tech giant’s payments service, Australia’s largest financial institution, Commonwealth Bank–which had once vowed not to support Apple Pay–shows that Apple is making headway with major banks that had once resisted supporting the NFC wallet.

Major Bus Company Stagecoach Finishes Contactless Rollout as UK Moves Toward Transit Ticketing Interoperability

NFC TIMES Exclusive Insight – The UK’s largest bus operator has announced that it has completed its rollout of open-loop payments acceptance on 7,400 buses in the country, declaring itself the “single largest contactless transit merchant in Europe outside London.”

In-Depth: Australian Transit Authority Rolls Out Open-Loop Payments After Lengthy Trial

NFC TIMES Exclusive Insight – Transport for New South Wales, Australia–the transit authority that oversees trains, buses and ferries in and around Sydney–decided to roll out its open-loop payments service to all train services following an extensive trial.

Canadian Transit Authority Introduces Low-End Wearable for Closed-Loop Payments

NFC TIMES Exclusive Insight – When Vancouver-area transit authority TransLink introduced open-loop fare payments last May, it was clear that the agency was not planning to phase out its closed-loop Compass Card anytime soon.

In-Depth: Swedish Hybrid Watch Brand Kronaby to Launch Payments Wearables with Innovative Provisioning System

NFC TIMES Exclusive – In one of the first implementations of its kind, Sweden-based hybrid smartwatch brand Kronaby plans to enable personalization of tokenized payment cards over the air using a Bluetooth connection to what is essentially a passive contactless chip in its watches.

Analysis: Apple Again Touts Apple Pay Growth, While Still Not Releasing Details on Transactions

NFC TIMES Exclusive Insight – Apple again reported a tripling of transactions for its payments service, Apple Pay, during its fiscal quarter ending in September, while noting other achievements. But the growth is believed to be off of a relatively low base, and four years after launching the payments service, Apple is still not releasing detailed numbers about its transactions.

In-Depth: Chinese Payments Players Accelerate Rollouts of Transit Fare Payments

NFC TIMES Exclusive Insight – While mobile payments are rolling out slowly at metro gates and aboard buses in the West, Chinese mobile payments players are accelerating deployments of their services that enable consumers to tap–or more likely scan–to ride.

Major U.S. Networks Promote Online Commerce Spec, Seeking to Keep Digital Transactions on Their Networks, but Not All Merchants are On Board

NFC TIMES Exclusive Insight – Major U.S.-based global networks, including Visa, Mastercard and American Express–hoping to keep transactions on their networks as more commerce goes online and digital–amplified their push for the Secure Remote Commerce specification, which is being drafted by their jointly owned payments specifications group, EMVCo.