Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

In-Depth: Five Years After Transport for London Launched Contactless Across Its Transit Network, UK Open-Loop Rollout Remains Uneven

Aug 15 2019

NFC TIMES Exclusive Insight – Five years ago next month, Transport for London introduced open-loop contactless payments across its transit network, including metro, trams and commuter rail, following an earlier launch on buses. The service now accounts for more than half of all pay-as-you-go journeys and has become a global showcase for the technology.

Apple Again Promises to Push Transit Ticketing as It Seeks Broader Adoption of Apple Pay

NFC TIMES Exclusive Insight – While noting to financial analysts late Tuesday that Apple Pay is now approaching 1 billion transactions per month globally and is in 47 markets, perhaps Apple CEO Tim Cook’s most significant comments about Apple Pay this week was to again emphasize that Apple wants to enable users to routinely tap to pay for bus, subway and other transit rides with their iPhones and Apple Watches. 

Chinese Mega Wallets Continue to Expand QR Code-based Transit Ticketing, while Major Agencies in West Stay with NFC

NFC TIMES Exclusive Insight ­– China’s mega-mobile wallet providers have continued their rollouts of transit payments in China, with Tencent Holdings announcing Tuesday that two years after launching its first QR-code-based WeChat “Ride Code” service in Guangzhou, total users for its transit payments services has reached 100 million.

Sydney Transit Authority Gives Users of Contactless Bank Cards Nearly All Discounts They Get with Closed-Loop Opal Cards

Jul 29 2019

NFC TIMES Exclusive Insight – Transport for New South Wales, Australia, the authority that oversees transit in and around Sydney, has taken a step toward phasing out its closed-loop contactless Opal fare card, today extending nearly all of the discounts it offers on Opal to users of open-loop Visa- Mastercard- and American Express-branded contactless cards.

In-Depth: 2020 Could Mark Landmark Year for Contactless Payments in U.S.

NFC TIMES Exclusive Insight– October will mark the fifth anniversary of the launch of Apple Pay in the U.S., Apple’s first country for its groundbreaking NFC payments service. 

Filings Point to Plans for Global Expansion of Apple Card and Apple Cash

NFC TIMES Exclusive Insight – Following Apple’s imminent entry into the credit card business in the U.S. with its planned Apple Card, the tech giant is showing signs it is looking to roll out the branded credit card in a number of other countries, as well.

Analysis: It's Likely Too Little, Too Late for LG Pay

Jul 25 2019

NFC TIMES Exclusive Insight – It was the fall of 2015, and interest in the Pays wallets was burgeoning. Google and Samsung had each launched their respective payments services in September of 2015 in the U.S., following introduction of Apple Pay a year earlier.

Apple Pay to Finally Support Octopus Card in Hong Kong, as Competition Grows in Market

NFC TIMES Exclusive Insight –  Apple Pay will offer support for Hong Kong’s popular closed-loop contactless transit and retail payments card Octopus later this year, adding a much-needed service to an Apple Wallet that launched three years ago in Hong Kong for credit and debit payments at retail.

Visa Promotes QR Codes in Contactless Hot Spot Taiwan, Hoping to Capture Merchants That Refuse to Accept Cards

NFC TIMES Exclusive Insight – While Visa’s country office in Taiwan was touting the fact that Taiwan ranks as one of the top countries in Asia Pacific for acceptance and use of contactless payments only six months ago, that hasn’t stopped the big payments network from actively promoting QR code payments on the island nation, too.

In-Depth: As Mifare Alternative Cipurse Nears 10th Anniversary, Major Rollouts Prove Elusive So Far

Jul 12 2019

NFC TIMES Exclusive – The mid-tier city of Vinnytsia in the Ukraine is rolling out its first transit smart cards for payment of fares on buses and trams this summer, replacing cash, which riders have used for years.

Lax Security Blamed for Hack of 7-Eleven’s Mobile Payments Service in Japan

NFC TIMES Exclusive Insight – Japan’s popular 7-Eleven convenience store chain reported Thursday a major hack of its QR code-based mobile-payments app, but the breach appears to be due to poorly designed security protections in the app. 

In-Depth: More Nordic Banks Support Payments on Passive Wearables with Provisioning after Sale

NFC TIMES Exclusive Insight – Two more large Nordic banks, Nordea and Swedbank, have launched contactless payments on analog watches, using technology from Swedish provisioning company Fidesmo that enables consumers to buy the watches and provision them with tokenized Mastercard-branded cards after the sale by tapping the watches on Android NFC phones.