Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

Major UK Bus Operators Complete Contactless Rollouts, With More to Come

NFC TIMES Exclusive – At least 13,000 buses in the UK outside of London now accept open-loop contactless payments, and more rollouts are underway as part of a plan by UK bus operators to roll out contactless on all 32,000 buses operating in the UK outside of the capital, NFC Times has learned.

Transport for London Proposes Extending Licensing Deal with Cubic for Open Payments Technology

NFC TIMES Exclusive Insight – London transit authority Transport for London is proposing to extend an agreement with U.S.-based fare collection system vendor Cubic Transportation Systems to license the authority’s technology used in its pioneering contactless open-loop payments system.

Fitbit Pay Launches in 21st Market, Though Issuer Numbers in Most Markets Remain Small

NFC TIMES Exclusive Insight – Fitbit Pay has entered its 21st market, with the launch this week in Thailand with two of the country’s top four banks, Kasikorn Bank and Siam Commercial Bank, along with credit card issuer Krungthai Card, or KTC, supporting the digital payments service.

Denmark’s Largest Bank Pilots Own Payments Wearables, Choosing Low-Tech Option Over Apple Watch

Oct 13 2018

NFC TIMES Exclusive Insight – Danske Bank, Denmark’s largest financial institution, is pitting its planned low-tech FastPay payments wearables against Apple Watch and some other higher-end wearables using tokenization, as it launches a large pilot starting this month in Denmark, Sweden and Norway.

Study: Apple Pay Dominates Mobile Payments Among Debit Card Users in U.S., Though Volume Remains Low

NFC Times Exclusive Insight ­– New research shows that Apple Pay continues to dominate mobile payments services for bank cards in the U.S., although transaction volume is still low.

NFC Student ID Cards Launch in Apple’s Wallet, Though Progress Remains Slow for Apple to Add Nonbank NFC Applications

Oct 12 2018

NFC TIMES Exclusive Insight –Three U.S. universities Tuesday launched NFC-enabled ID cards in Apple’s Wallet, with Apple confirming that only three more U.S.

LA Metro Plans NFC-Enabled Mobile App for TAP Card But Holds Off on Open Payments

NFC TIMES Exclusive Insight – The Los Angeles County Metropolitan Transportation Authority, or Metro, plans to introduce mobile payments using NFC phonesbut only supporting its closed-loop TAP fare payments service, not open-loop payments, NFC Times has learned.

Chinese Wearables Makers Begin to Introduce Low-Cost Devices Supporting NFC Payments

NFC TIMES Exclusive Insight – A new smartwatch from low-cost Chinese wearables maker Huami and the latest fitness band version from Huami’s major investor and partner, Xiaomi, both support transit and retail payments–making them among the first budget smart wearables devices supporting NFC payments.

In-Depth: San Francisco’s $461 Million Transit Contract Will Support NFC Ticketing but Not Open-Loop Contactless Payments

NFC TIMES Exclusive Insight – A planned US$461 million contract to upgrade and operate the Clipper fare collection system in the San Francisco Bay Area will include account-based ticketing and a mobile app that will enable customers to tap for rides with a closed-loop virtual Clipper card on NFC-enabled smartphones.

Apple Drops Requirement to Have App Open for Tag Reading

NFC TIMES Exclusive Insight – Apple has relaxed its approach to NFC tag reading in its new iPhone Xs, Xs Max, and Xr models, removing the requirement to have a reader application open in order to use a tag. It calls the feature Background Tag Reading, and it offers essentially the same functionality that Android devices have had for years.  

Fossil Expands Support for NFC Payments, as It Continues Push into Smartwatch Market

NFC TIMES Exclusive Insight – U.S.-based Fossil Group is pushing deeper into the smartwatch market, as it seeks to diversify from the financially strapped traditional watch market. Among the apps Fossil is offering on several new smartwatch models are Google Pay and Alipay, the latter in China.

Google Expands Payments Service in India, Targeting Projected $1 Trillion Digital Payments Market

NFC TIMES Exclusive Insight Google, its eye on India’s projected US$1 trillion digital payments market in five years, has rebranded its Tez payments service to Google Pay and is planning to expand its services, including to Gmail-based payments and, later, NFC.