Standard Seeks to Create More Secure PIN Entry for NFC Payment

As prospects for NFC-based mobile payment heat up, banks and payment brands are left with the problem of how to secure high-value transactions.

With viruses on smartphones an ever-present worry, some are not convinced it’s safe to allow consumers to enter PIN codes on handset keypads, which could be spied upon by fraudsters.

So some banks are requiring users in trials, such as one now going on in Spain, to enter their PINs on point-of-sale terminal keypads, which are then compared with PINs stored on the backend. Some NFC trial organizers don’t allow high-value transactions at all.

And while most banks and payment companies likely will want to enable PIN entry on the NFC handset to ensure the user experience is consistent, they might follow the lead of French banks, which in NFC pilots have renamed the PIN as the “personal code.” Although the banks emphasize that this code is different from the PINs used by customers for their French debit cards, it does not avoid the potential risks of an insecure phone keypad.

But vendors have been developing hardware and software that could provide a trusted area right on the phone processor, which could store encryption keys, certificates and other security measures.

This so-called “trusted execution environment” would add security features to help safeguard PIN entry on the phone keypad and also deter hackers from spying on transaction data displayed on the handset screen. It could offer a security boost for a range of other applications, including enabling secure access through corporate virtual private networks or digital rights management for games or music, among a range of services in app stores of the various smartphone makers.

“The picture is very clear, you will have a smartphone in your pocket; you will have a rich OS (operating system), and there is a real need for security whatever the OS,” Gil Bernabeu, technical director for GlobalPlatform, told NFC Times. “Currently, the Apple and RIM (BlackBerry maker Research in Motion) and Android stores, those guys are making applications with no security.”

GlobalPlatform is developing specifications that apply to software and hardware that use the trusted execution environment in phones. The specifications are for the application programming interface, or API, for applications that run in this trusted environment. The API would enable developers working with various smartphone operating systems and chips to develop applications across all the platforms. Their products now remain proprietary.

While most trusted execution environments on phones use a secure area called TrustZone by UK-based chip design company ARM Holdings, TrustZone ties into different operators systems, such as BlackBerry OS and Android. There are also different phone processor chip makers and also at least two major providers of software platforms for applications using TrustZone and the trusted execution environment–smart card vendor Giesecke & Devrient and Trusted Logic, owned by smart card maker Gemalto.

GlobalPlatform members ARM, Giesecke & Devrient, Trusted Logic and chip makers ST-Ericsson and Texas Instruments have worked on the specifications.

These specs will not only be used for NFC applications, and mobile operator group, the Open Mobile Terminal Platform, also worked on the specifications. The group is now known as the Wholesale Applications Community, or WAC.

But GlobalPlatform needs some support from the major smartphone makers and other chip makers for its specifications. The initiative presumably has the backing of Giesecke & Devrient and Trusted Logic. GlobalPlatform has formed a working group to continue work on the standard.

There is also a need for a secure connection from the trusted execution environment to the secure element or secure chip in the NFC phones, which would store the actual keys to the payment applications and the customers’ PIN codes. This chip could be on a SIM card, embedded in the handset itself or located elsewhere, such as in a microSD card inserted in the phone.

And even with the more secure phone keypad that the trusted environment provides, PIN entry on the phone to complete a payment transaction would not be considered as secure as entering PINs on POS terminal keypads that support the PIN Entry Device standard, or PED, of the PCI Security Standards Council.

But with NFC-based mobile payment expected to begin rolling out by next year, a standard promoting more secure phone keypads and screens is no doubt welcome news for banks and card brands. 

Article comments

 
MK.Mustafa Sep 14 2010

All these security issues can be solved if SCWS enabled SIM cards, this will enable all mobile to interact with mobile payment application which stored in SIM cards through web server. All encryption keys are stored in SIM and are not visible to phone OS all encryption operations are done in SIM card level.

Please register or login to post a comment.

HEADLINE NEWS

As Their Resistance Crumbles, Australia’s Big Four Banks have Found that Opposing Apple Pay Too Costly, Despite Tech Giant’s Fees

NFC TIMES Exclusive Insight – Another one of Australia’s big four banks, National Australia Bank, has given in to pressure from customers and has agreed to support Apple Pay.

In-Depth: Ticketmaster Embraces Digital Ticketing to Cut Fraud and Improve Communication with Ticket Purchasers and Fans

NFC TIMES Exclusive Insight – U.S.-based sports and entertainment ticketing vendor Ticketmaster sees its new digital-ticketing technology–supporting bar codes and NFC–as a way to reduce fraud and stay in touch with both ticket purchasers and event attendees.

Japanese Payments Players Expand Support for QR Code-Based Payments

May 20 2019

NFC TIMES Exclusive Insight – Japan’s mobile payments market is expanding, but the talk is not about NFC payments services, such as Apple Pay, Google Pay or the pioneering FeliCa wallet services originally pushed by NTT DoCoMo and rail operator JR East.

Singapore’s Land Transport Authority to Accept Visa Cards for Fares in June

NFC TIMES Exclusive Insight – Singapore’s Land Transport Authority announced today it will begin accepting Visa-branded contactless cards to pay fares on trains and buses starting June 6, only two months after it launched its “SimplyGo” open-loop fare collection service with only Mastercard-branded cards.

Consulting Firm: Not Sure Whether Contactless Card Deployment Will Help or Hurt NFC Wallets

NFC TIMES Exclusive Insight – With U.S. banks planning to renew tens of millions of their EMV credit and debit cards this year with an added contactless interface, industry observers are naturally considering how the rollouts will affect adoption of NFC mobile wallets.

Rio de Janeiro Metro Launches Open-Loop Payments with New Visa Transit SAM

NFC TIMES Exclusive Insight – The Rio de Janeiro Metro has launched its planned open-loop payments service, one of the first Latin American transit systems to accept bank cards–in this case, Visa credit cards­–directly for payment of rides.

In-Depth: Major Pays Wallets Accelerate Support for Closed-Loop Transit Ticketing

NFC TIMES Exclusive – One of the key battlegrounds for Apple, Google and Samsung as they seek more users for their respective Pays wallets is transit ticketing–with all three tech giants targeting both open-loop payments and–perhaps surprisingly–also closed-loop transit cards. (See table below).

Report: Will Deployment of Contactless EMV Cards in U.S. Drive Growth of NFC Mobile Payments? Conclusions Hard to Draw

NFC TIMES Exclusive Insight – With U.S. banks finally beginning to issue dual-interface EMV cards in significant numbers this year and more U.S. merchants accepting contactless and NFC payments, a key question becomes whether contactless card payment will help or hurt the prospects for what has generally been considered as disappointing take-up of NFC wallets.

Half of Face-to-Face Visa Transactions Outside of U.S. Expected to be Contactless Soon

NFC TIMES Exclusive Insight – Half of all domestic face-to-face transactions with Visa-branded cards globally–outside of the U.S.–are expected to be contactless within the next two months, with Visa reporting that contactless technology is maturing in numerous countries worldwide, mainly in Europe and Asia.

Analysis: Canadians Increasingly Pay with Contactless Cards, Although Cash Continues to Play Key Role

Apr 22 2019

NFC TIMES Exclusive Insight – Contactless transactions in Canada topped 50% of all in-store card transactions for the first time ever during the first quarter of this year, said the country’s largest payments card processor, Moneris, this week.

Contactless Card Transactions Could Overtake Taps from NFC Phones ‘Quickly’ in the U.S.: Industry Veteran

Apr 23 2019

NFC TIMES Exclusive Insight – Transactions from contactless bank cards in the U.S. will “quickly surpass” those from NFC phones by the end of 2020, despite cards being rolled out much later than NFC-enabled wallets, industry veteran Randy Vanderhoof, head of the Secure Technology Alliance industry trade group and the affiliated U.S. Payments Forum, told NFC Times.

Samsung's Deal with Taiwan’s EasyCard is Latest in Global Push by Pays Wallets to Support Transit Payments

NFC Times Exclusive Insight – Samsung Pay is the first of the major NFC Pays wallets to announce it is working with Taiwan’s large closed-loop transit and retail payments service EasyCard, as it seeks to differentiate itself in a crowded and fast-growing mobile-payments market on the island nation.